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CLEAR  CHOICE  TE@k 

NEXT-GEN  FIREWALL 


With  SSL,  who  can  you  really  trust? 

BYTIM  GREENE 


HP’S  PLANS  to  get  out  of  the  PC  business,  acquire  software  maker  Auton¬ 
omy  and  retreat  from  its  webOS  device  investments  will,  if  all  goes  as  planned, 
let  the  tech  giant  sharpen  its  focus  on  enterprise  IT  markets  and  capitalize  on 
the  software-centric  strengths  of  CEO  Leo  Apotheker. 

“As  an  executive  who  has  spent  most  of  my  career  primarily  in  software,  it  is  a 

world  I  know  well,”  Apotheker 


As  an  executive  who 
has  spent  most  of  my 
career  primarily  in  software, 
it  is  a  world  I  know  well.” 

LEO  APOTHEKER, 

i  ^  HP  PRESIDENT  AND  CEO 


said  during  the  company’s 
earnings  call  last  week. 

But  it’s  an  uphill  climb  none¬ 
theless,  as  software  has  been 
responsible  for  only  a  small 
fraction  of  HP’s  revenue  in 
years  past.  In  2010,  HP  Soft¬ 
ware  generated  $3.59  billion  in 
revenue,  or  3%  of  the  company’s 
$126  billion  total  revenue.  But 
it’s  on  the  upswing:  HP  Soft¬ 
ware  logged  20%  year-to-year 


HP’s  dramatic  reshuffling 
reflects  shades  of  IBM 


BY  ANN  BEDNARZ.AGAM  SHAH  AND  NANCY  GOHRING 


►  Sec  HP,  page  14 


Bpaloalto 


SSL,  THE  encryption  scheme  that  protects  secure  online  transactions,  requires 
that  users  rely  on  trusted  third  parties,  but  what  if  they  can’t  be  trusted?  Well,  it 
turns  out  they  can’t  be,  as  demonstrated  earlier  this  year  by  the  breach  linked  to 
trusted  third-party  Comodo.  But  researchers  are  fashioning  new  trust  models 
for  SSL  that  they  say  are  much  less  susceptible  to  being  compromised. 

One  proposal,  called  Perspectives,  is  being  vetted  by  a  team  at  Carnegie  Mel  - 
Ion  University,  and  a  second,  called  Convergence,  is  also  being  run  through  its 

►  See  SSL,  page  13 


Palo  Alto 
earns  short 
list  status 


App-aware  firewall 
proves  especially  useful 
for  contra  ling  outbound 

traffic.  Page  23  ► 


Powerful. 

Intelligent. 


The  difference  between 
\  networking  and  not  working. 

Some  systems  require  you  to  reconfigure  your  network  infrastructure 
to  match  their  standards.  Not  the  IBM  BladeCenter®  with  Intel®  Xeon® 
processors.  It  offers  a  broad  range  of  networking  technologies— including 
some  of  the  most  advanced  virtualization  solutions  in  the  industry.  So 
you  can  choose  the  one  that  works  best  with  your  infrastructure.  And 
IBM  BladeCenter  can  save  you  up  to  40%  on  networking  costs  versus 
competitive  offerings.1 


Take  10  minutes  to  see  for  yourself. 

Learn  how  you  could  achieve  a  3-month  ROI  on  your  migration 
with  our  Systems  Consolidation  Tool.  Visit  ibm.com/systems/blade 


I.The  40%  cost  savings  are  based  on  a  comparison  of  the  acquisition  costs  ot  10  current  generation  HP  rack  optimized  solutions  (i.e,  DL380  G7  Proliant  with 
10  GbE  Ethernet  and  Fibre  Channel  infrastructure)  to  10  current  generation  IBM  BladeCenter  and  HS22  systems  with  converged  fabric  solutions  from  Brocade. 
See  www-03.ibm.com/systems/bladecenler/hardware/openfabric/fcoe.htrnl.  The  IBM  solution  includes  chassis  infrastructure.  Pricing  utilizes  publicly 
available  pricing  per  port  for  ToR  ethernet  and  FC  switching  infrastructure  as  of  Jan  2011.  The  40%  networking  hardware  costs  savings  result  from  eliminating 
separate  Ethernet  and  Fibre  Channel  cards  and  switches  in  the  deployment  of  an  IBM  BladeCenter  FCoE  solution  for  10  servers  and  associated  networking 
hardware  in  comparison  to  the  HP  solution.  IBM,  the  IBM  logo,  ibm.com  arid  BladeCenter  are  trademarks  of  International  Business  Machines  Corp,  registered 
in  many  jurisdictions  worldwide.  Other  product  and  service  names  might  be  trademarks  ot  IBM  or  other  companies  A  current  list  of  IBM  trademarks  Is  available 
on  the  Web  at  www.ibm.com/legai/copytradeshtml.  Intel,  the  Intel  logo,  Xeon  and  Xeon  Inside  are  trademarks  of  Intel  Corporation  in  the  U.S.  and  other  countries. 
©  International  Business  Machines  Corporation  2011.  All  rights  reserved. 


Reliable 


Fast  to  deploy 


Energy-efficient 


Scalable 


The  only  high-performance  data  center 


Our  triple  promise:  24/7/365  availability, 
speed,  and  efficiency-driven  cost  savings 


InfraStruxure 


InfraStruxure  data  centers  mean  business! 


Vendor-neutral 


Introducing  Next  Generation  InfraStruxure 

Whether  your  company  just  doubled  its  sales  or  staff,  you  need  to  make  sure  that  its  data  center  can 
support  such  business  growth— not  hinder  it.  All  too  often,  though,  businesses  feel  constrained  by  the 
capabilities  of  their  information  technology  (IT)  and  supporting  infrastructure.  Is  there  enough  rack  space 
to  handle  more  servers?  Can  power  capacity  accommodate  larger  IT  loads?  Today,  APC  by  Schneider 
Electric'"  eliminates  these  hurdles  with  its  proven  high-performance,  scalable,  and  complete  data  center 
architecture  solution:  InfraStruxure™. 


Only  InfraStruxure  ensures  that  your  data  center  can 
adapt  effectively,  efficiently,  and  quickly  to  business 
growth  and  other  changes  via  the  following  benefits: 

>  Availability:  24/7/365  uptime  is  made  possible 
through  best-in-class  critical  power  with  "snap-in" 
modular  power  distribution  units,  close-coupled 
cooling,  and  proactive  monitoring  software. 


InfraStruxure  data  centers  mean  business! 

We  say  that  InfraStruxure  data  centers  mean  business.  But  what  does  that  mean  to  you?  The  answer  is 
simple.  A  data  center  means  business  when  it  is  always  available,  24/7/365,  and  performs  at  the  highest 
level  at  all  times,  is  able  to  grow  at  the  breakneck  speed  of  business,  continues  to  achieve  greater  and 
greater  energy  efficiency— from  planning  through  operations,  and  is  able  to  grow  with  the  business  itself. 
What’s  more,  InfraStruxure  is  an  integrated  solution  that  can  be  designed  to  your  exact  requirements  at 
the  start,  while  still  being  able  to  adapt  to  your  company’s  changing  business  needs  in  the  future. 

The  triple  promise  of  InfraStruxure  deployment 

InfraStruxure  fufills  our  triple  promise  of  superior  quality,  which  ensures  highest  availability;  speed,  which 
ensures  easy  and  quick  alignment  of  IT  to  business  needs;  and  cost  savings  based  on  energy  efficiency. 
What  better  way  to  ‘‘mean  business’’  than  to  enable  quality,  speed,  and  cost  savings— simultaneously? 


>  Speed:  Deployment  is  fast  and  simple  because  all 
system  components  are  designed  to  work  together 
"out  of  the  box"  and  the  system  can  grow  at  break¬ 
neck  business  speed. 

>  Efficiency:  True  energy  efficiency  and  savings  are 
achieved  via  advanced  designs,  including  three- 
stage  inverters  in  UPS  units  and  variable  speed  fans 
in  cooling  units. 

>  Manageability:  InfraStruxure  Management  Software 
Portfolio  enables  you  to  see  and  manage  capacity 
and  redundancy  levels  of  cooling,  power,  and  rack 
space  for  optimal  data  center  health. 


Data  Center  Projects: 
Growth  Model 


J  >  f  xacuT'Vtr  uummary 


APC 


>  Agility:  Flexibility  comes  from  enclosures  with  any  IT 
vendor  compatibility  and  whole  system  scalability 
for  both  power  and  cooling. 


Plan  your  data  center  growth  simply  and  effectively!  Download  White 
Paper  #143,  "Data  Center  Projects:  Growth  Model,"  today  for  guidance. 

Visit  www.apc.com/promo  Key  Code  g548v  •  Call  888-289-APCC  x6308  •  Fax  401  -788-2797 


by  Schneider  Electric 


0201 1  Schneider  Electric.  All  Rights  Reserved.  Schneider  Electric.  APC,  and  InfraStruxure  are  trademarks  owned  by  Schneider  Electric  Industries  SAS  or  its  affiliated  companies, 
email:  esupport@apc.com  •  132  Fairgrounds  Road,  West  Kingston,  Rl  02892  USA  •  998-3810JJS 


FROM  THE  EDITOR  JOHN  DIX 


6  Bits  Comments, 
Blogs  and  Online 


Partnering 
with  vendors 


oes  the  majority  of  your  communications  with 
suppliers  revolve  around  problem  resolution  and 
sales  presentations?  If  so,  how  do  you  get  them  to 
step  up  and  improve  service 
levels?  How  do  you  get  them 
to  work  with  you  on  innova¬ 
tion?  How  do  you  build  a  rela¬ 
tionship  that  focuses  their  energies  on  your 
needs  and  benefits  them  in  the  process? 

Those  were  some  of  the  key  questions  Ken  Piddington 
asked  when  he  took  over  as  CIO  of  Global  Partners  LP,  an 
$8  billion  energy  company  in  the  Northeast  that  sells  a 
range  of  fuels  to  commercial,  industrial  and  government  operations. 

There  had  to  be  a  better  way,  Piddington  thought.  And  after  collaborating  with 
some  peers  and  doing  more  research,  he  put  together  Global’s  Strategic  Partner 
Program,  a  well  devised  plan  that  he  launched  in  the  spring. 

Part  of  the  plan  involves  establishing  vendor  goals  and  annually  reviewing 
performance  against  those  goals,  Piddington  says  (see  the  full  Q&A  online  at  tinyurl. 
com/3s3mq29).  “We  didn’t  really  have  anything  to  measure  and  gauge  them  before.” 

But  he  knew  there  had  to  be  something  in  it  for  the  vendors  to  get  them  engaged. 
It  is  all  about  “building  a  relationship,”  he  says.  “That’s  why  we  called  it  the  Strate¬ 
gic  Partner  Program,  not  the  Vendor  Management  Program.” 

One  component  designed  to  benefit  both  parties:  Quarterly  Global  Insight 
meetings.  Global  has  agreed  to  give  suppliers  insight  into  business  developments 
and  key  projects,  which  should  help  vendors  more  efficiently  align  products  and 
services  with  Global’s  needs,  but  obviously  also  helps  Global. 

Piddington  also  created  Vendor  Showcases,  in  which  suppliers  are  given  the 
chance  to  come  in  and  demonstrate  their  latest  and  greatest  to  the  appropriate 
audience.  “If  a  company  is  trying  to  demonstrate  some  marketing  software,  while 
just  having  me  might  be  OK,  it  isn’t  going  to  provide  the  greatest  value  to  them.  So 
I’ll  bring  in  the  marketers,”  he  says. 

A  final  vendor  benefit:  vendor  awards  announced  at  an  annual  dinner.  There  are 
awards  for  teamwork/collaboration,  innovation  and  customer  service,  and  then 
one  of  those  three  is  also  named  vendor  of  the  year.  “For  the  vendor  of  the  year,  we 
committed  to  issuing  a  press  release  and  posting  photos  on  the  website,”  Pidding¬ 
ton  says. 

He  launched  the  whole  effort  at  a  dinner  in  March  for  62  vendors,  and  the  feed¬ 
back  has  been  positive.  “I’d  say  95%  of  them  think  this  is  a  great  opportunity.  One 
or  two  have  not  been  as  enthusiastic  as  I  would  like.” 

That  last  bit  of  insight  is  just  one  of  the  many  good  things  this  program  could 
deliver.  Who  needs  partners  like  that? 
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Driving  with  cellphones 

©JUST  BECAUSE  THE  man  didn’t  cause 
an  accident  doesn’t  mean  his  behavior 
isn’t  careless  and  symbolic  of  a  larger 
problem:  People  don’t  act  responsibly 
when  freedom  is  afforded  them  (Re: 
“Driver  using  2  cellphones  gets  12-month 
driving  ban”;  tinyurl.com/3he7gh3). 

Preventing  people  from  using  bad 
discretion  when  it  threatens  the  safety  of 
others  is  not  totalitarian  or  invasive.  It’s 
the  right  of  the  government  to  suspend 
privileges  of  those  who  do  not  use  them 
like  an  adult.  It’s  time  to  stop  allowing 
entitlement  to  drive  our  policies.  People 
earn  things,  and  lose  them  as  well.  This 
guy  deserves  to  lose. 

Chris 

Peripherals  and  control 

©  WHILE  DISPLAY  SURFACES  look  cool 
on  “CSI,”  “NCIS”  and,  of  course,  “Minor¬ 
ity  Report,”  I  just  don’t  see  myself  ever 
flinging  numbers  and  formulas  across 
a  spreadsheet.  And  don’t  get  me  started 
on  the  “10-foot  interface”  (a.k.a.  “comput¬ 
ing  with  mittens”)  for  TV  —  if  ever  there 
was  an  HMI  abomination,  that  is  it  (Re: 
“After  30  years,  IBM  says  PC  going  way 
of  vacuum  tube  and  typewriter”;  tinyurl. 
com/3oslfjv). 

But  disregarding 
form  factor,  the  PC  will 
endure  as  long  as  the 
alternatives  are  closed 
appliances  — 
it  shouldn’t  be  neces¬ 
sary  to  jailbreak  your 
cellphone  or  Xbox  to 
have  control  over  it. 

Cloud  is  great  for  many 
things,  but  networks 
will  always  have  band¬ 
width  and  availability 
issues,  so  autonomous  local  computing 
with  the  ability  to  customize  will  have  to 
be  supported  on  any  successor  to  the  PC. 

Dave999 

Freedom  to  choose 

©  WHY  CAN’T  CISCO,  a  for-profit  com¬ 
pany,  behave  as  it  chooses  regarding  dis¬ 
counts  or  even  outright  gifts,  particularly 
to  a  nonprofit  institution  (Re:  “Purdue’s 
hefty  switch  discounts  ‘unusual,’  Cisco 
says”;  tinyurl.com/3gkcd6n)?  The  net 
result  (and  intent)  from  this  kind  of  public 
criticism  is  curtailment  of  business 


freedoms  by  the  social  do-gooders  and 
legal  community.  The  unseen  enemy  of 
freedom  is  the  administration  of  fairness, 
which  of  course  can  never  satisfy  anyone. 

Dr.  Dilettante 

Invective  over  class  exercise 

©  THE  WORLD  MUST  seem  to  most  people 
to  be  a  very  scary  place.  They  cling  to  the 
little  bits  of  familiarity  and  react  with 
anger  and  near  violence  to  anything 
that  they  believe  threatens  them  (Re: 
“Harvard  class  project  compares  iPhone, 
Windows  7,  Android,  BlackBerry  usabil¬ 
ity;  triggers  a  wave  of  invective”;  tinyurl. 
com/3ju456a).  This  class  exercise  pales 
in  its  instructional  value  to  a  study  of 
the  Internet  chatter  it  created.  While  the 
students  were  focused  on  their  phones 
and  constructing  their  video,  and  the 
professor  focused  on  what  the  students 
learned  from  the  exercise,  I  hope  some 
sociologists  will  take  a  look  at  the  larger 
incident  and  what  it  says  about  society. 

Anon 

Windows  vs.  OS  X 

©  WINDOWS  CODE  IS  mostly  derived 
from  the  Windows  NT  code  which  was 
designed  specifically  for  LAN  environ¬ 
ments  (and  with  a  lot 
of  DEC  engineering 
input),  while  OS  X  has 
always  been  a  PC  OS 
and  not  a  network  cli¬ 
ent/server  OS.  So  it  is  a 
given  that  authentica¬ 
tion  mechanisms  will 
be  more  supported  on 
the  Windows  platform 
than  on  OS  X  (Re: 
“Black  Hat:  Apple  does 
well  but  Microsoft  does 
better  with  enterprise 
security”;  tinyurl.com/4yz4hub). 

Just  check  the  participation  of  Micro¬ 
soft’s  engineers  in  IETF  forum  meetings 
vs.  Apple’s.  Microsoft  enterprise  Win¬ 
dows  OS  is  a  well-designed  OS  keeping  in 
mind  the  security  (AAA)  requirements  of 
the  mid-range  and  large  corporation. 

OS  X  was  created  as  a  layer  on  FreeBSD 
kernel  while  ignoring  most  of  the  AAA 
enhancements  made  to  the  open-source 
OpenBSD  or  FreeBSD  code.  If  only  Apple 
took  the  enterprise  as  seriously  as  it  takes 
the  consumer . . . 

Calahas 
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NO  GREAT  PRODUCT  IS  BUILT  ON  AN  UNSTABLE  FOUNDATION 

CHECK  POINT  BUILDS  ON  AN  OBSOLETE  FOUNDATION. ..ITS  INEFFECTIVE  FIREWALL! 


Learn  why  Check  Point  FAILS  to  secure  the  modern  enterprise  network 
and  why  thousands  of  customers  have  switched  to  Palo  Alto  Networks. 


www.paloaltonetworks.com/switch 


M  paloalto 
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the  network  security  company 


IBM  brings  brain  power 
to  experimental  chips 


IBM  HAS  CREATED  prototype  * 


chips,  modeled  around  neural 
systems,  that  mimic  the 
brain's  structure  and  opera¬ 
tion  through  silicon  circuitry 
and  advanced  algorithms.  Like  the  brain,  IBM’s  experimental 
chips  can  dynamically  rewire  to  sense  and  understand  and  act 
on  information  fed  via  sight,  hearing,  taste,  smell  and  touch,  or 
through  other  sources  such  as  weather  and  water-supply  moni¬ 
tors.  The  chips  will  help  discover  patterns  based  on  probabilities 
and  associations,  all  while  rivaling  the  brain's  compact  size  and 
low  power  usage,  said  Dharmendra  Modha,  project  leader  for 
IBM  Research.  “We  now  have  the  seeds  of  a  new  architecture 
that  can  allow  us  to  mine  the  boundary  between  the  physical 
and  the  digital  world  in  an  ever  more  efficient  way,”  Modha  said. 
tinyurl.com/3wayo  7g 
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Red  Hat  RHE  V 
freed  from 
Windows  fetters 

WITH  THE  next  release  of  its 
Red  Hat  Enterprise  Virtualiza¬ 
tion  (RHEV)  package,  Red  Hat 
has  finally  rid  itself  of  one  of  its 
most  notorious  dependencies, 
namely  the  use  of  Microsoft’s 
Windows  Server  and  SQL 
Server.  The  beta  of  RHEV  3.0, 
released  last  week,  will  be  the 
first  version  of  the  virtualization 
package  that  does  not  require 
a  copy  of  Microsoft  Windows 
Server  to  run  the  management 
console.  The  new  beta  version 
also  shows  that  the  company 
has  put  forth  considerable  effort 
in  allowing  the  software  to 
handle  larger  workloads,  which 


should  make  it  competitive 
with  another  chief  rival  of  Red 
Hat  in  the  virtualization  space, 
VMware.  “VMware  is  not  the 
only  game  in  town,”  said  Navin 
Thadani,  Red  Hat  senior  direc¬ 
tor  of  virtualization  business. 
“We’re  in  a  really  good  position 
to  capitalize  on  the  growing 
demand  for  alternatives  to 
VMware.”  tinyurl.com/3kjej2g 

AES  proved 
vulnerable 

SO  MUCH  for  unbreakable. 
Researchers  from  Microsoft 
and  a  university  in  Belgium 
have  discovered  a  way  to  break 
the  widely  used  Advanced 
Encryption  Standard  (AES),  the 
algorithm  used  to  secure  most 


Land  of  Lincoln' 


Check  out  our  collection  of  the  geekiest  license  plates  and  add  your 
own  to  tinyurl.com/447fox7 


online  transactions  and  wireless 
communications.  Their  attack 
can  recover  an  AES  secret  key 
from  three  to  five  times  faster 
than  previously  thought  pos¬ 
sible,  reported  the  Katholieke 
Universiteit  Leuven.  In  practice, 
the  methodology  used  by  the 
researchers  would  take  billions 
of  years  of  computer  time  to 
break  the  AES  algorithm,  they 
noted.  But  the  work,  the  result  of 
a  long-term  cryptanalysis  proj¬ 
ect,  could  be  the  first  chink  in 
the  armor  of  the  AES  standard, 
previously  considered  unbreak¬ 
able.  tinyurl.com/3rbn26l 


Collar  bomber's 
tech  gaffe 


THE  MAN  who  claimed  to  have 
attached  a  bomb  collar  to  an 
Australian  high  school  student 
thought  it  would  be  a  good  idea 
to  leave  a  ransom  note  on  a  USB 
stick  looped  around  her  neck. 
What  he  probably  didn’t  realize 
is  that  he  also  left  his  name,  hid¬ 
den  deep  in  the  device’s  memory. 
An  inspection  of  the  USB  drive 
turned  up  files  the  criminal 
thought  he’d  deleted,  including 
a  version  of  the  ransom  note 


written  in  Microsoft  Word  that 
contained  metadata  about  the 
document’s  author,  “Paul  P.” 

tinyurl.com/42zozah 

W3C  broadens 

community 

participation 

HOPING  TO  broaden  user  input 
and  speed  the  development  of 
new  technologies,  the  World 
Wide  Web  Consortium  (W3C) 
has  established  two  new  virtual 
working  spaces  for  individuals 
and  organizations  to  develop 
specifications.  The  first  plat¬ 
form,  Community  Groups,  will 
allow  anyone,  at  no  cost,  to  cre¬ 
ate  or  participate  in  a  working 
group.  The  W3C  has  already  set 
up  eight  Community  Groups, 
including  those  focused  on  Web 
payments,  the  semantic  markup 
of  online  news  stories  and  the 
Open  Digital  Rights  Language. 
The  second  platform,  Business 
Groups,  will  provide  a  place 
for  organizations  to  hash  out 
standards  for  their  own  specific 
fields,  such  as  healthcare.  The 
W3C  has  set  up  one  Business 
Groups  forum,  for  the  oil,  gas 
and  chemical  industry.f/nyur/. 
com/3vwz8yx 

IE  best  at 
protecting 
against  drive-by 
downloads 

INTERNET  EXPLORER  is  better 

at  defending  against  drive-by 
downloads  than  competitors’ 
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Delivering  a 
And  more  d 


stronger  network 


service 


Our  network  has  expanded,  and  so  has  our  ability  to  serve 
you.  When  you  combine  our  personal,  consultative  approach 
with  our  premiere  technology  platform  -  including  colocation 
managed  hosting  and  nationwide  fiber-optic  network  with 
global  reach  -  you  will  find  you  are  free  to  drive  productivity 
and  bottom-line  growth.  Your  link  to  what's  next. 
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See  the  benefits  of  partnering 
with  us  at  centurylink-business.com 
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Qwest  is  now  CenturyLink. 


GOOD  BAD  UGLY 


IT  hiring  remains  strong 

IT  HIRING  in  the  U.S.  is  expected  to  remain  robust 
through  the  end  of  the  year,  bucking  renewed  fears 
of  a  double  dip  recession  recently  brought  on  by 
stock  market  corrections,  the  ongoing  debt 
crisis  in  Europe  and  the  U.S.,  and  Standard  & 
Poor’s  downgrade  of  America’s  credit  rating. 
“Despite  the  economic  woes,  I  haven’t  seen  any 
change  in  demand  [for  IT  workers],”  says  Shane 
Bernstein,  managing  director  of  IT  staffing  firm 
Q.  “In  fact,  demand  keeps  increasing.’”  Q's  clients 
are  seeking  all  manner  of  software  developers:  Java, 
.NET,  open  source,  PHP,  Ruby  on  Rails  and  Python. 
Systems  administrators  are  also  in  demand. 


browsers  and  the  contest 
isn’t  even  close,  according  to 
a  worldwide  test  of  browsers 
by  security  research  firm  NSS 
Labs.  Internet  Explorer  netted 
a  99.2%  protection  score  in  the 
firm’s  most  recent  test  of  socially 
engineered  malware  distribu¬ 
tion,  with  Google  Chrome 
coming  in  a  distant  second  with 
13.2%.  Trailing  behind  it  were 
Safari  and  Firefox  tying  with 
7.6%  each,  and  Opera  pulling 
up  last  with  6.1%.  The  report, 
credits  Microsoft’s  SmartScreen 
URL  and  Application  Reputa¬ 
tion  features  with  landing  the 
big  score,  tinyurl.com/4yf3umz 


ST  Video 

MIT  researchers 
improve  aircraft 
carriers 

The  DCAP  system  helps 
humans  and  computers 
work  together  to  improve 
military  operations. 

tinyurl.com/4y67vcw 


chief  architect  for  IPv6  at  Com¬ 
cast.  tinyurl.com/3jzz7n5 


Fired  techie  creates  virtual 
chaos  at  pharma  company 

LOGGING  IN  from  a 
McDonald’s  restaurant, 
a  former  employee  of  a 
U.S.  pharmaceutical 
company  was  able 
to  wipe  out  most 
IS  of  the  company’s 
computer  infra¬ 
structure.  Jason 
Cornish,  37,  formerly 
an  IT  staffer  at  the  U.S. 
subsidiary  of  Japanese 

drug-maker  Shionogi,  pleaded  guilty  last  week  to 
computer  intrusion  charges  in  connection  with  the 
attack,  which  targeted  15  VMware  host  systems  that 
were  running  e-mail,  order  tracking,  financial  and 
other  services  for  the  Florham  Park,  N.J.,  com¬ 
pany.  "The  Feb.  3  attack  effectively  froze  Shionogi’s 
operations  for  a  number  of  days,  leaving  company 
employees  unable  to  ship  product,  to  cut  checks,  or 
even  to  communicate  via  email,”  the  U.S.  Depart¬ 
ment  of  Justice  said  in  court  filings.  Total  cost  to 
Shionogi:  $800,000. 

Spam  hits  two-year  high 

SPAM  —  particularly  the  kind  with  malicious  attach¬ 
ments  —  is  exploding,  reaching  a  two-year  high 
overall,  which  includes  the  spike  last  fall  just 
before  the  Spamlt  operation  folded  its  doors.  In 
fact  spam  traffic  is  about  double  what 
it  was  then,  according  to  M86  Security 
Labs,  which  monitors  spam  levels  across 
selected  domains.  "After  multiple  recent 
botnet  takedowns,  cybercriminal  groups 
remain  resilient,  clearly  looking  to  build 
their  botnets  and  distribute  more  fake  AV 
in  the  process,”  the  company  says. 


Comcast  expands 
IPv6  trial 

COMCAST  HAS  added  Michi¬ 
gan  to  its  list  of  states  —  includ¬ 
ing  Pennsylvania,  California, 
Colorado,  Illinois  and  Florida  — 
where  the  cable  ISP  is  offering 
services  that  support  the  next- 
generation  Internet  standard 
known  as  IPv6.  Comcast  began 
its  IPv6  trial  16  months  ago  to 
test  several  different  transition 
mechanisms  between  IPv4,  the 
Internet’s  current  addressing 
scheme,  and  IPv6.  “Given  the 
success  we’re  seeing ...  we’re 
going  to  keep  expanding  the 
availability  of  IPv6  and  keep 
marching  towards  a  production 
launch,”  says  John  Brzozowski, 
distinguished  engineer  and 


Texting 
dominates 
smartphone  apps 

YOU  CAN  keep  your  fancy 
Angry  Birds  games  and 
NFC-based  wallets  because 
old-fashioned  text  messaging  is 
still  the  most  popular  applica¬ 
tion  for  smartphone  users  in 
the  United  States.  According  to 
a  recent  survey  conducted  by 
the  Pew  Internet  and  American 
Life  Project,  92%  of  smartphone 
users  send  or  receive  text  mes¬ 
sages  on  their  devices,  thus 
making  SMS  the  most  popular 
smartphone  application  along 
with  taking  pictures,  which  is 
also  used  by  92%  of  smartphone 
users,  tinyurl.com/3unqv39 


PARITY  BITS 

4.1B 

The  number  of  worldwide  email 
accounts  by  the  end  of  2015, 
up  from  3.1  billion  this  year. 

SOURCE:  THE  RADICATI  GROUP 
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TREND  ANALYSIS 


Six  ways  to  look  at  GoogSe-Motorola  deal 


BY JOHN  COX 

LAST  WEEK’S  mega-mobility-deal  throws 
into  relief  a  range  of  interrelated  issues  fac¬ 
ing  Google,  its  advertising-based  business 
model,  and  the  role  and  future  of  the  Android 
mobile  operating  system.  This  melange  fea¬ 
tures  six  key  items: 


Alt’s  all  about  the  patents. 

■  Google  saw  its  Android  mobile  oper¬ 
ating  system  under  mounting  pressure  from 
patent  infringement  actions  by  Apple  and 
Microsoft  (and  separately  by  Oracle  over  Java 
licensing),  and  bought  Motorola  for  its  24,500 
patents  and  patent  applications  as  a  defensive, 
some  say  “desperate,”  countermove. 

“Google  tried  to  present  its  $12.5  billion 
acquisition  of  Motorola  as  an  opportunity 
to  ‘supercharge  the  Android  ecosystem,’  but 
the  deal  was  equally  prompted  out  of  desire  to 
protect  Android  from  further  patent  lawsuits 
using  Motorola’s  strong  patent  portfolio,” 
writes  Nilay  Patel,  at  ThisIsMyNext.com. 

Google  will  become  involved  in  two  high- 
profile  patent  disputes  with  Apple  and  with 
Microsoft.  It’s  already  a  direct  party  in  Oracle’s 
suit  over  licensing  its  Java  code  for  Android. 

Patel  says  the  Motorola  patents  give  Google 
leverage  over  its  rivals:  They’ll  think  twice 
about  starting  or  continuing  Android  suits 
because  they  open  themselves  to  countersuits 
based  on  the  Motorola  patents,  or  they  can  be 
induced  to  resolve  disputes  with  a  mutually 
beneficial  cross-licensing  deal. 


J  It’s  not  about  the  patents. 

mmm  ■  “Android  still  has  patent  issues,” 
says  Bill  Morelli,  analyst  with  IMS  Research. 
“The  acquisition  will  not  provide  much,  if  any, 
substantive  relief  from  the  patent  lawsuits 
against  Motorola  and  Google.  Many  see  this 
move  as  an  admission  by  Google  of  just  how 
weak  the  Android  patent  position  is.” 

The  number  of  Motorola  patents  don’t 
speak  to  their  importance  or  to  their  value. 
Florian  Mueller,  who  describes  himself  as  an 
“intellectual  property  activist-turned-ana¬ 
lyst”  and  mobile  patent  consultant,  argues 
that  Motorola’s  patent  portfolio  is  quite  weak. 
So  far,  he  notes,  it  hasn’t  stopped  Apple  or 
Microsoft  from  filing  infringement  actions. 

“Both  disputes  are  at  a  fairly  advanced 
stage,”  Mueller  says.  “For  example,  the  ITC 
[U.S.  International  Trade  Commission]  hear¬ 
ing  on  Microsoft’s  initial  complaint  against 
Motorola  will  begin  in  a  week ...  At  this  stage, 


Motorola  has  certainly  fired  its  best  shots, 
and  those  aren’t  really  impressive.” 

In  “Android  Isn’t  Free:  How  Google’s  acqui¬ 
sition  of  Motorola  Mobility  will  make  it  more 
like  Apple,”  Farhad  Majoo  writes  for  Slate, 
“Today,  the  [Android]  platform  is  ‘open’  but 
chaotic  —  because  phone-makers  get  the  soft¬ 
ware  for  free  and  can  do  whatever  they  want 
with  it,  Android  is  available  on  some  good 
phones  as  well  as  lots  and  lots  of  cheap,  bad 
ones.  In  the  aftermath  of  this  deal,  Google  will 
seek  to  exert  greater  influence  over  hardware 
companies.  Eventually,  the  deal  will  help 
reduce  the  number  of  new  Android  devices 
that  are  released  every  year,  and  the  few  that 
are  released  will  be  of  generally  higher  qual¬ 
ity  —  and  sell  for  higher  prices  —  than  what 
we  see  in  the  Android  device  market  today.” 

3  Does  Google  actually  have  a 

■  “strategy”? 

The  jury  is  still  out,  and  a  lot  experts  seem  at 
least  uncertain. 

“I  can’t  imagine  that  any  company  would 
spend  $12.5  billion  without  having  some 
strategy  in  mind.  Whether  that  is  a  good  strat¬ 
egy  or  not  remains  to  be  seen,”  Morelli  says. 

“Usually  when  a  big  tech  merger  happens 
you  can  see  the  logic  behind  it,”  writes  Michael 
Mace,  a  former  executive  at  Apple  and  Palm 
and  currently  CEO  of  Cera  Technology,  an 
early-stage  startup.  “But  in  this  case  the  more 
I  think  about  it  the  more  confused  I  get.” 

“Did  Google  buy  Motorola  for  the  patents'? 
If  so,  why  isn’t  it  spinning  out  the  hardware 
business?  Or  did  Google  buy  Motorola 
because  it  wants  to  be  in  the  hardware  busi¬ 
ness?  If  so,  does  it  understand  what  a  world 
of  other  problems  that  will  create  for  Android 
and  the  rest  of  Google?  Seriously,  if  Google 
tries  to  integrate  Motorola  into  its  business 
we  could  end  up  citing  this  as  the  deal  that 
permanently  broke  Google.” 

4  No  matter  what  they  say 

■  publicly,  Google’s  Android 
partners  are  not  happy. 

“Given  the  very  high  stakes  involved,  and 
Google’s  past  history  of  contentious  rela¬ 
tionships  with  its  partners,  and  the  ongoing 
legal  issues  that  Android  is  facing,  all  of  the 
Android  licensees  are  carefully  evaluating 
all  the  options  that  are  available  to  them,” 
Morelli  says. 

“The  Android  ecosystem  is  here  to  stay  and 
this  move  [with  Motorola]  would  not  push 
partners  away  from  Android  completely,” 


says  Craig  Cartier,  an  analyst  with  Frost  & 
Sullivan. 

But  some  analysts  think  Google  is  prepared 
to  make  them  unhappier  still. 

Andrew  Borg,  senior  research  analyst  for 
wireless  and  mobility  at  Aberdeen  Group, 
is  one  who  thinks  Google  may  use  Motorola 
to  offer  Android  devices  —  “gPhones”  and 
“gPads”  under  a  Motorola  label  —  at  very  low 
cost  or  possibly  even  free,  subsidized  by  its  ad 
revenues.  “Ultimately  we  believe  Google’s  end 
game  is  about  ad  delivery,  not  handset  domi¬ 
nation,  so  they  will  make  judicious  choices 
that  keep  their  dominant  position  in  digital  ad 
delivery  on  a  global  basis,  while  keeping  the 
OEMs  in  tow  for  as  long  as  possible,”  he  says. 

Mueller  voices  a  similar  view.  “Google’s 
vision  for  this  world  is  that  all  information 
and  communications  technology  products 
and  services  should  have  a  price  of  zero,  or  at 
least  a  profit  margin  of  zero,  as  long  as  Google 
can  sell  advertising  to  McDonald’s,  General 
Motors,  banks,  insurance  companies,  etc,” 
he  says.  “To  make  this  happen,  Google  uses 
Android,  and  also  Chrome,  as  a  tool  to  lock 
end  users  into  its  services.” 


OWall  Street  doesn’t  like  it. 

■  “Their  biggest  challenge  will  be  to 
appease  Wall  Street  and  institutional  inves¬ 
tors  to  sit  tight  and  watch  them  [Google]  exe¬ 
cute  on  their  global  plans  for  the  long  term, 
despite  the  imminent  dilution  of  profit  mar¬ 
gin,”  says  Aberdeen’s  Borg.  “Mix  high-margin 
ad  revenue  with  low-to-no-margin  hardware 
business  and  dilution  becomes  inevitable.” 

6  So  far,  investors  are 
■  unappeased. 

The  day  after  Google  announced  the  deal, 
Standard  &  Poor’s  analyst  Scott  Kessler  cut 
his  rating  on  the  search  engine’s  stock  to  Sell 
from  Buy,  and  cut  his  12-month  price  target 
on  the  stock  to  $500,  from  $700.  He’s  unsure 
about  whether  Motorola’s  patents  will  do 
much  to  protect  Android,  and  he’s  sure  that 
the  deal  “would  negatively  impact  GOOG’s 
growth,  margins  and  balance  sheet.” 

Referencing  Kessler’s  analysis,  Forbes 
reporter  Eric  Savitz  noted  last  Tuesday  that 
“Google’s  market  cap  has  been  trimmed  by 
$8.7  billion  in  the  last  two  days,  suggesting 
serious  doubts  among  investors  about  the 
company’s  strategy.” 

At  end  of  day  Thursday,  Aug.  18,  the  stock 
continued  its  all-week  slide,  closing  at  $504.88, 
down  $28.27  or  5.30%  for  the  day.  ■ 
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TREND  ANALYSIS 


►  SSL,  from  page  1 

paces  by  Moxie  Marlinspike,  a  fellow  at  the 
Institute  for  Disruptive  Studies,  a  lab  devoted 
to  privacy,  anonymity  and  computer  security. 
Their  schemes  are  similar  and  call  for  shifting 
the  authentication  of  SSL-protected  Web  serv¬ 
ers  from  browsers  and  certificate  authorities  to 
a  new  entity  called  a  notary. 

Traditionally,  when  a  browser  wants  to  set 
up  an  SSL  session  with  a  server,  it  asks  for  the 
server’s  SSL  certificate.  The  browser  verifies 
the  authenticity  of  the  certificate  by  checking 
whether  it  has  been  signed  by  a  root  certificate 
authority  that  the  browser  trusts.  In  practice,  the 
browser  may  rely  directly  on  other  certificate 
authorities  that  are  ultimately  vouched  for  by 
the  root  authority. 

This  creates  a  chain  of  trust.  If  any  link  in  one 
of  these  chains  of  trust  is  compromised,  attackers 
could  acquire  false  certificates.  These  invalid  cer¬ 
tificates  could  be  used  to  trick  browsers  into  trust¬ 
ing  them,  and  that  sets  browser-to-server  com¬ 
munications  up  for  man-in-the-middle  attacks. 

That  is  the  scenario  in  the  Comodo  breach, 
in  which  one  of  its  trusted  partners  issued  nine 
phony  certificates. 

With  Perspectives  and  Convergence,  rather 
than  relying  on  certificate  authorities  and  the 
root  certificates  that  ship  with  browsers,  trust  is 
placed  on  a  notary.  Notaries  are  servers  that  rou¬ 
tinely  check  and  record  what  certificates  Web 
servers  present  over  time. 

When  a  browser  receives  a  certificate  from  a 
server,  it  doesn’t  seek  confirmation  that  the  cer¬ 
tificate  is  linked  to  a  root  authority.  Instead,  it 


A  new  way  to  trust  SSL 


asks  a  notary  whether  it  matches  the  certificate 
that  the  server  has  been  regularly  issuing  over  a 
period  of  time.  If  so,  that  is  a  good  indication  that 
it  is  a  legitimate  certificate  for  that  site. 

The  upside  is  that  this  trust  model  doesn’t  rely 
on  a  small  static  set  of  certificate  authorities,  says 
David  Andersen,  an  assistant  professor  at  Carn¬ 
egie  Mellon’s  computer  science  department,  who 
heads  up  the  Perspectives  project. 

He  hopes  that  in  a  fully  deployed  architecture, 
major  corporations  as  well  as  smaller  companies 
and  individuals  would  set  up  notaries.  Notaries 
could  share  the  data  they  gather.  “As  long  as  they 
all  agree,  then  that  site  is  OK.  You  can  trust  the 
accumulated  results,”  he  says.  Users  get  a  statis¬ 
tical,  probabilistic  verification  of  a  certificate’s 
authenticity,  he  says. 

Marlinspike  says  this  architecture  gives  end 
users  trust  agility  —  the  ability  to  switch  who 
they  trust  initially  and  to  shift  that  trust  to 
someone  else.  Under  the  current  system,  trust 
is  determined  by  what  root  certificates  browsers 
support  and  that  predetermined  trust  is  locked  in 
between  browsers  and  certificate  authorities. 

Convergence  creates  a  notary  relay  that  keeps 
any  one  notary  from  knowing  both  who  is 
requesting  authentication  for  a  given  certificate 
and  what  site  that  certificate  is  issued  to. 

At  the  moment  Perspectives  serves  only 
30,000  users,  Andersen  says.  To  replace  the  cur¬ 
rent  system  would  require  a  worldwide  network 
of  perhaps  hundreds  of  notary  servers  akin  to  the 
network  of  DNS  servers.  But,  he  says,  the  tasks 
they  would  be  asked  to  perform  are  simpler  and 
fewer  servers  would  be  needed.  ■ 
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Researchers  are  working  on  a  more  trustworthy  way  to  verify  the  validity  of 
SSL  certificates  that  pave  the  way  for  secure  Web  transactions.  The  basic 
design  is  shown  here. 


A  Web  browser 
attempting  to 
connect  with  an 
SSL-protected 
Web  server  seeks 
and  receives  the 
server’s  public 
key  -  its  SSL 
certificate. 


SSL  Web  server 

Z 


Client  with 
Web  browser 


The  browser  asks 
Notary  A  to  verify  the 
validity  of  the 
certificate  and  it  relays 
the  request  to  Notary 
B.  The  purpose  is  to 
improve  privacy  by 
making  the  identity  of 
the  requesting 
browser  unavailable  to 
the  notary  server. 
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certificates  being 
sent  by  the  SSL 
server,  Notary  B 
relays  back 
whether  the 
certificate 
seems  valid. 
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►  HP,  from  page  1 

growth  and  reached  $780  million  in  revenue 
in  the  second  quarter  of  2011,  driven  by  last 
year’s  acquisitions  of  Fortify  and  ArcSight, 
notes  Jillian  Mirandi,  an  analyst  at  Technol¬ 
ogy  Business  Research  (TBR).  HP’s  fastest 
growing  business  unit  is  also  its  most  profit¬ 
able,  with  a  19.4%  operating  profit. 

Conversely,  HP’s  Personal  Systems  Group, 
which  sells  PCs,  tablets  and  smartphones,  has 
the  company’s  lowest  profit  margin,  although 
it  accounted  for  nearly  one-third  of  HP’s  over¬ 
all  revenues  in  2010.  HP’s  decision  to  let  go  of 
its  industry-leading  PC  business  is  a  sign  of 
just  how  severely  the  explosive  tablet  market 
has  damaged  the  PC  market. 

The  PC  business  is  the  first  domino  to  fall 
as  Apotheker  tries  to  bring  greater  profit¬ 
ability  to  the  company,  says  Ezra  Gottheil, 
a  senior  analyst  at  TBR.  “It’s  a  much  more 
exaggerated  consequence  of  the  [direction] 
the  company  decided  to  go  with  Leo  Apo¬ 
theker.  Clearly  the  board  wanted  higher 
margins,”  he  says. 

The  planned  PC  spinoff  echoes  IBM’s  sale 
of  its  PC  business  to  Lenovo  in  2005  to  focus 
on  higher-margin  enterprise  software  and 
services.  However,  “HP  will  be  challenged  to 
drive  software  to  be  the  kind  of  generator  of 
profit  that  it  is  at  IBM,”  Gottheil  says. 

Another  challenge  is  finding  a  new  home 
for  the  world’s  largest  PC  business;  HP  esti¬ 
mates  it  will  take  12  to  18  months  to  sell,  spin 
off  or  otherwise  give  the  PC  business  the 
independence  it  needs  to  continue. 

“We  are  focusing  on  what  needs  to  be  fixed, 
what  needs  to  be  shut  down  and  what  needs 
to  be  considered  for  separation,”  Apotheker 
said. 

Software  is  clearly  in  the  wheelhouse  of 
longtime  SAP  chief  Apotheker,  who  took  the 
helm  at  HP  in  November  2010.  He  was  put 
in  place  to  redesign  HP  around  his  skill  set, 
much  like  Steve  Jobs  did  at  Apple  and  Sam 
Palmisano  did  at  IBM,  says  Rob  Enderle,  an 
analyst  with  the  Enderle  Group. 

Adding  Autonomy  to  HP’s  software  arse¬ 
nal  will  not  only  provide  a  revenue  bump  but 
also  could  give  HP  a  boost  in  data  analytics  as 
well  as  network  and  systems  management. 

A  leader  in  enterprise  search  and  data 
management,  Autonomy  has  grown  through 
several  acquisitions  of  its  own  in  recent  years, 
including  its  purchases  of  content  manage¬ 
ment  firm  Interwoven,  for  $775  million  in 
2009;  e-discovery  firm  Zantaz,  for  $375  mil¬ 
lion  in  2007;  and  search  software  maker  Ver¬ 
ity,  for  $500  million  in  2005. 

More  recently,  Autonomy  acquired  CA 
Technologies’  information  governance 
business  in  2010  for  an  undisclosed  amount, 
and  it  picked  up  digital  assets  from  Iron 


HP’s  billion 
dollar  buys 

Here’s  a  look  at  HP’s 
buying  history. 

Palm:  In  2010  HP  paid  $1.2 
billion  for  Palm  and  its  webOS 
software  looking  to  make  a 
splash  in  the  mobile  world. 

3Com:  In  2009,  HP  added  3Com's 
Ethernet  network  switches,  routers 
and  security  products  to  its  ProCurve 
business.  The  deal  cost  $2.7  billion. 

EDS:  In  2008,  HP  said  it  would 
invest  $13.9  billion  in  exponentially 
expanding  its  global  IT  services 
business  via  the  acquisition  of  EDS. 

Opsware:  In  2007,  HP  grabbed 
Opsware  for  $1.6  billion  for 
the  company’s  data  center 
automation  technology. 

Mercury  Interactive:  One  of  HP’s 
initial  moves  to  broaden  its  niche 
network  management  software  into 
a  larger  IT  management  software 
suite  involved  paying  $4.5  billion 
to  buy  application  management 
vendor  Mercury  Interactive. 

Compaq:  The  deal  that  started 
it  all.  HP  grabbed  up  Compaq 
in  2002  for  about  $25  billion. 

VeriFone:  In  1997,  HP  paid  about 
$1.2  billion  to  acquire  e-commerce 
and  smart-card  technology  maker 
VeriFone  to  help  customers  in  the 
financial  services  and  other  industries 
advance  Internet-based  business. 


Mountain  in  May  of  this  year. 

Such  a  software  portfolio  would  be  “a 
natural  complement  to  HP’s  efforts  and 
technologies”  in  the  enterprise  content  space, 
says  Charles  King,  principal  analyst  at  Pund- 
IT.  It  would  dovetail  particularly  well  with 
HP’s  Vertica  database  and  3PAR  data  storage 
products. 

On  the  IT  management  front,  HP  could 
gain  by  combining  Autonomy’s  data  exper¬ 
tise  with  its  system  management  technology, 
says  Curt  Monash  of  Monash  Research. 

Yet  there  are  challenges  HP  will  have  to 
address  with  this  facet  of  its  overhaul,  too. 

“For  HP  to  make  this  financially  successful, 
it’s  going  to  have  to  do  a  strongjob  of  enhancing 
the  technology  going  forward,”  Monash  says. 
“Autonomy  is  the  leader  in  enterprise  search 
and  retrieval  of  poly-structured  data,  but  it 
has  grown  through  acquisition  and  a  lot  of  the 
technology  pieces  are  still  pretty  simplistic.  It’s 
the  future  generation  of  Autonomy  technology, 


over  the  next  few  years,  that  will  determine 
whether  this  deal  succeeds  or  fails.” 

While  the  shift  to  software  seems  preor¬ 
dained,  given  Apotheker ’s  background,  HP’s 
decision  to  stop  making  tablets  and  smart¬ 
phones  based  on  webOS  comes  as  a  surprise, 
particularly  since  the  news  hit  just  49  days 
after  the  TouchPad  tablet  launch,  and  a  year 
after  HP  paid  $1.2  billion  to  acquire  the  OS 
from  Palm. 

Developers  gave  the  webOS  high  marks, 
and  users  were  enthusiastic  about  the  inter¬ 
face.  But  neither  Palm  nor  HP  was  able  to 
make  products  that  lots  of  users  were  will¬ 
ing  to  buy. 

“About  a  year  ago,  we  made  a  bet  on  webOS 
and  the  opportunity  to  launch  our  own  eco¬ 
system  around  devices,  applications  and  new 
markets.  At  that  time,  we  set  clear  metrics  and 
milestones  to  monitor  the  success  of  webOS," 
said  Cathie  Lesjak,  HP’s  executive  vice  presi¬ 
dent  and  CFO.  “Our  intention  was  to  solidify 
webOS  as  the  clear  No.  2  platform  for  tablets. 
But  with  such  a  young  ecosystem  and  poorly 
received  hardware,  we  were  unable  to  achieve 
our  target.” 

Analysts  say  HP  buckled  under  the  pres¬ 
sure  of  Apple’s  momentum  and  growing  sup¬ 
port  for  Android,  but  that  webOS  could  still 
live  on  at  licensees  and  offer  a  competitive  OS 
to  Android  and  Windows  Phone. 

Much  like  Apple’s  mobile  device  strategy, 
HP  intended  to  wrap  together  hardware, 
software  and  services  but  lost  patience  and 
decided  to  cut  its  losses,  says  TBR’s  Got¬ 
theil.  “With  their  OS,  building  the  market 
would’ve  taken  time.  It’s  clearly  an  offering 
that  required  patience,”  Gottheil  says. 

With  the  decision  to  separate  the  hardware 
and  software  businesses,  HP  runs  counter 
to  the  trend  in  the  mobile  market  to  verti¬ 
cally  integrate  development.  With  Google’s 
planned  acquisition  of  Motorola  Mobility, 
Windows  Phone  became  the  only  major  OS 
whose  creator  doesn’t  also  make  hardware. 
Now,  however,  HP  joins  Microsoft  as  devel¬ 
oper  of  an  OS  that  is  licensed  to  hardware 
makers. 

“Now  that  Google  has  acquired  its  oWtt 
hardware  vendor,  webOS  could  be  a  good 
alternative  for  some  of  the  Android-only 
vendors,”  says  Chris  Hazelton,  an  analyst 
with  The  451  Group. 

HP  plans  to  turn  the  webOS  into  its  cli¬ 
ent  play  and  go  after  the  opportunity  that 
Google  created  when  it  bought  Motorola, 
Enderle  says.  “They  couldn’t  do  that  as  long 
as  they  had  client  hardware.  In  effect,  [HP's] 
response  to  the  consumerization  of  IT  is  to 
partner  with  consumer  companies,  not  try 
to  be  one  anymore.  This  should  create  some 
concerns  with  Microsoft  as  they  are  drifting 
into  Microsoft’s  turf.”  ■ 
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Clemson  IT  team 
embraces  call  to  be 
entrepreneurial 


BY  JOHN  D1X 

FIVE  YEARS  ago  Clemson  University  named  James  Bottum  CIO  and 
gave  him  the  mandate  to  overhaul  the  school’s  IT  infrastructure  and  build 
out  a  high  performance  computing  environment.  The  goal:  catapult  the 
school  into  a  leading  research  university  and  help 
attract  faculty  and  students. 

Mission  accomplished.  The  South  Carolina 
school  is  now  among  the  top  five  non-federally 
funded  University  Supercomputing  sites.  But  just 
as  importantly,  the  environment  Bottum  helped 
create  is  driving  creative  funding  efforts,  every¬ 
thing  from  attracting  partners  that  want  to  use 
the  high-performance  computing  (HPC)  system 
to  sale  of  commercial  software  and  new  grants 
that  benefit  both  the  school  and  IT. 

“Last  year  the  Clemson  president  told  us  our 
best  years  of  public  sector  funding  from  the  state 
were  most  likely  behind  us  because  of  the  financial 
crisis,  and  we  needed  to  rethink  our  business  model,”  Bottum  says.  “The 
encouragement  was  to  become  entrepreneurial.” 

Fortunately  many  of  the  changes  Bottum’s  team  made  properly  positioned 
Clemson  for  the  new  normal.  The  university  has  seen  180%  growth  in  rev¬ 
enue  from  external  sources,  which  helps  supplement  the  school’s  IT  budget, 
and  a  250%  increase  in  federal  grants,  part  of  which  help  offset  IT  costs. 

Bottum  has  unique  qualifications  that  are  helping  get  it  all  done.  He  spent 
20-plus  years  in  the  research  sector,  including  a  stint  at  the  National  Science 
Foundation,  then  15  years  at  the  National  Center  for  Supercomputing  Appli¬ 
cations,  and  for  the  last  10  years  he  has  been  a  CIO  (at  Purdue  before  this). 

Bottum’s  team  at  Clemson  has  a  lot  of  recent  achievements  to  be  proud 
of,  but  they  also  get  to  investigate  leading-edge  stuff,  everything  from  the 
huge  HPC  grid  to  new  OpenFlow  tools  and  the  school’s  own  Orange  File 
System. 

Early  goings 

When  Bottum  arrived  at  Clemson  the  school  had  48  IT  groups,  each  of 
which  had  its  own  servers  and  storage  and  many  of  which  ran  their  own 
networks. 

“I  saw  a  departmental  IT  person  in  a  room  with  fans  blowing  on  a  server,” 
he  says.  “All  of  the  high-performance  computing  was  in  a  little  data  center 
in  the  engineering  science  college.  They  had  about  six  or  seven  clusters  but 
didn’t  have  enough  juice  to  power  them  all  up  at  the  same  time.  It  was  a  real 
belt  and  suspenders  kind  of  operation,  a  cluster  in  the  closet  model.” 

A  couple  of  other  surprises:  The  university  was  buying  commodity 
100Mbps  Internet  service  at  a  much-inflated  price  from  local  telecom 
companies,  and  the  school  had  a  large  data  center  10  miles  off  campus  with 
expansion  potential  to 30,000  square  feet.  The  former  meant  the  university 
could  make  a  big  leap  forward  by  joining  Internet2,  and  the  latter  was  going 
to  make  it  easier  to  aggregate  the  IT  operations  and  modernize. 

While  the  initial  funding  for  the  overhaul  would  come  from  the  school 
itself,  the  new  HPC  capabilities  attracted  new  monies  along  the  way  and 
Clemson  won  many  grants,  including  an  NSF  Research  Infrastructure 
Improvement  Award. 

Job  one  was  rehabbing  the  data  center  and  the  Information  Technology 
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Center,  and  aggregating  most  of  the  IT  groups 
and  resources.  The  building  was  20-plus 
years  old  and  was  upgraded  in  two  phases. 

“We  had  7,000  or 8,000  square  feet  of  space, 
half  a  megawatt,  and  20-something-year-old 
power  and  air  conditioning  when  I  got  here,” 
says  CTO  Jim  Pepin,  who  came  over  from  the 
University  of  Southern  California  (USC).  “We 
went  up  to  2  megawatts  and  filled  that  up  in 
less  than  two  years  as  we  consolidated  opera¬ 
tions  and  started  to  build  our  HPC  cluster.” 

The  first  phase  ended  in  December  2007, 
and  in  the  second  phase,  which  was  com¬ 
pleted  in  December  2010,  the  data  center 
space  was  built  out  to  16,000  square  feet 
and  split  between  two  environments,  one  for 
enterprise  gear  —  everything  from  email  and 
student  systems  to  a  mainframe  to  support 
the  state’s  Medicaid  system  —  and  the  other 
for  the  HPC  system,  a  1,629-node  Linux  clus¬ 
ter.  “So  now  we  have  two  physically  separate 
rooms  with  different  air  conditioning  profiles 
and  4.5  megawatts,”  Pepin  says. 

Connectivity  was  increased  from  the 
100Mbps  connection  serving  the  univer¬ 
sity  to  multiple  10G  fiber  wavelengths  to 
Charlotte,  N.C.,  and  Atlanta,  which  are  used 
to  access  Internet2  and  link  to  partners  and 
other  universities.  “We’re  also  building  out 
multiple  10G  wavelengths  around  the  state,” 
Pepin  says.  Together  these  links  —  and  access 
to  the  National  LambdaRail  —  enable  Clem- 
son  to  connect  to  national  infrastructure, 
allow  other  state  institutions  to  access  Inter- 
net2  through  Clemson,  and  provide  nation¬ 
wide  access  to  the  Clemson  HPC  cluster  and 
other  collaborative  resources. 

The  school  also  now  has  two  gigabit  con¬ 
nections  on  the  National  Higher  Education 
Network  to  Pepin’s  former  employer,  USC, 
where  Clemson  has  three  racks  of  backup 
gear  for  disaster  recovery.  “No  money  changes 
hands,  but  I  have  rack  space  in  California  and 
they  have  rack  space  here  and  it  makes  their 
data  center  look  like  an  extension  of  mine  and 
vice  versa,”  Pepin  says.  “That’s  the  model 
we’re  looking  at  building,  where  the  network 
is  the  basic  building  block  of  how  we  can  con¬ 
nect  these  things  together.” 

Demand  for  HPC 

The  cluster  —  what  the  group  sometimes  refers 
to  as  a  cloud  —  is  one  of  the  crown  jewels. 

“We’re  not  building  some  generic  Joni 
Mitchell  cloud,”  Pepin  says.  “Not  some  vanilla, 
virtualized,  blah,  blah,  blah.  There’s  all  of  that 
stuff  inside,  but  it’s  much  more  comprehen¬ 
sive,  it’s  a  much  richer  texture  than  that.  We’re 
building  a  cloud  that  is  really  infrastructure 
and  services  so  we  can  actually  do  science  with 
national  labs  and  other  people  in  the  state.” 

The  massive  1,629-node  cluster  is  a  combi¬ 
nation  of  Dell,  IBM,  HP  and  Sun  gear  (mostly 


From  left  to  right  in  front  of  the  HPC  cluster:  Jay  Harris,  director  of  operations;  Boyd  Wilson, 
executive  director  of  computing,  systems  and  operations;  Mike  Cannon  (front),  data  storage 
architect;  Jim  Pepin  (back),  CTO;  Lanae  Neild,  HPC  administrator;  Becky  Ligon,  file  system 
developer.  (Photo  by  Zac  Wilson) 


four  FLOPs  Intel/AMD  architecture).  Each 
node  is  a  physical  server  with  two  sockets 
holding  quad  core  processors,  meaning  eight 
cores  per  device  and  a  total  count  of  14,304 
server  cores. 

Nodes  are  interconnected  using  a  combi¬ 
nation  of  88 10G  Ethernet  ports  from  Arista 
and  Cisco,  and  3,008  ports  of  low-latency  10G 
Myrinet  network  technology  from  Myricom. 
Four  16-port,  4Gbps  QLogic  Fibre  Channel 
switches  are  used  to  support  storage  needs. 

The  servers  aren’t  virtualized  because  the 
jobs  supported  are  typically  numerically 
intensive  and  very  high  performance.  “So 
this  is  more  of  a  grid  than  a  cloud,”  Pepin 
says.  “We  call  it  a  cloud  because  it’s  the  shared 
resources  model,  but  we  run  it  like  a  grid  you 
would  see  at  one  of  the  national  labs.” 

All  told,  the  cluster,  with  its  latest  nodes, 
will  benchmark  at  above  100  trillion  float¬ 
ing  point  instructions  per  second,  making  it 
about  90th  on  the  list  of  the  fastest  supercom¬ 
puters  in  the  world. 

The  open  source  Maui  Cluster  Scheduler  is 
used  to  allocate  cluster  resources  —  which  are 
allotted  by  the  cores  required  —  but  some  users 
are  guaranteed  access  to  specific  resources  at 
specific  times  in  condominium  fashion. 

Cluster  usage  has  been  tremendous,  but 
Bottum  had  some  trepidation  going  in.  “One 
of  the  things  I  was  afraid  of  was,  if  we  spent 
this  money  and  put  up  these  capabilities,  that 
nobody  would  come  and  use  it,”  he  says. 

Turns  out  he  didn’t  need  to  worry.  “In  a 
state  like  South  Carolina  where  no  public 
institutions  were  on  Internet2,  if  you  build 
something  like  this  you  start  attracting  atten¬ 
tion,”  Bottum  says.  “The  one  thing  I  did  that 
you  could  construe  as  marketing  was  speak 
at  a  South  Carolina  IT  Directors  meeting  in 


Charleston.  They  wanted  to  know  what  we 
were  doing,  so  I  threw  out  the  idea  of  build¬ 
ing  a  South  Carolina  cloud,  an  environment 
for  shared  services,  and  told  them  if  they  were 
interested  to  sign  up  at  the  door.” 

A  half  a  dozen  signed  up.  “We  then  went 
and  we  got  some  capital  from  various  sources, 
including  private  and  federal,  and  tried  to 
stand  this  HPC  thing  up  under  the  rubric  of 
what  we  call  the  Cyber  Institute.  And  that 
allowed  us  to  have  a  neutral  ground  for  bring¬ 
ing  in  researchers  and  other  parties  and  not 
run  this  out  of  the  IT  organization.  We  were 
bootstrapping  it  out  of  IT  but  it  gave  us  a  way 
to  think  about  it  and  not  just  break  the  backs 
of  people  who  had  more  than  full-time  jobs  to 
do.  We  now  have  about  a  dozen  universities 
—  and  even  a  high  school  —  that  have  alloca¬ 
tions  on  high-performance  computing.” 

Since  then  Clemson  has  held  high-per¬ 
formance  computing  workshops  around 
the  state,  many  of  which  attract  70  or  more 
people.  “There’s  this  sort  of  pent-up  demand,” 
Bottum  says. 

Today  cluster  utilization  rates  run  at  80% 
to  85%  and  often  peak  above  90%.  “In  the 
cluster  world,  this  is  incredible,”  Bottum 
says. 

OrangeFS  and  OpenFlow 

Of  course  the  cluster  is  also  core  to  a  lot  of 
work  the  university  is  doing,  including  devel¬ 
opment  of  a  parallel  virtual  file  system  and 
work  on  OpenFlow,  one  of  the  highest-level 
projects  to  come  out  of  the  Global  Environ¬ 
ment  for  Network  Innovations  (GENI). 

After  trying  several  popular  file  systems 
for  Clemson’s  cluster,  researchers  deter¬ 
mined  they  needed  higher  performance 
and  greater  reliability,  says  Boyd  Wilson, 
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executive  director  of  computing,  systems  and 
operations.  The  result:  revival  of  development 
work  on  the  open  source  Parallel  Virtual  File 
System  (PVFS)  with  the  original  architect, 
Clemson  faculty  member  Walt  Ligon.  Ligon 
is  working  with  a  Clemson  spin-off  company 
called  Omnibond  that  is  providing  commer¬ 
cial  services  for  the  file  system. 

In  the  Clemson  cluster,  OrangeFS  is  used  to 
virtualize  32  commodity  Dell  storage  servers 
while  providing  a  single  name  space  for  the 
cluster  nodes,  Wilson  says.  Directory  and  file 
metadata  are  distributed  on  1.6TB  of  solid  state 
drives  across  the  32  storage  nodes  and  there  is  a 
total  of 256TB  of  raw  rotational  disk  storage. 

Unlike  other  high-performance  file  systems 
such  as  Lustre,  which  can  only  have  a  single 
metadata  server,  OrangeFS’  distributed  meta¬ 
data  approach  and  unified  name  space  enable 
the  file  system  to  scale  nicely  while  also  sim¬ 
plifying  operations,  Wilson  says. 

These  capabilities  may  ultimately  benefit 
enterprise  computing  environments.  “With 
a  unified  name  space  across  potentially 
hundreds  of  storage  nodes,  you  can  add  and 
remove  nodes  as  needed  and  customers  won’t 
notice  their  files  moving  or  ever  have  to  be 
pointed  to  a  new  storage  location,”  Wilson 
says.  “Your  unstructured  data  stores  can 
grow  and  resize  and  be  redundant  and  you 
won’t  have  all  of  these  different  little  silos  of 
data.  So  it  holds  some  potential  to  become  an 
enterprise  computing  solution  a  couple  of 
years  down  the  road.” 

One  Clemson  researcher,  Sebastien 
Goasguen,  is  using  OrangeFS  to  develop  a 
cloud-based  infrastructure  that  can  launch 
and  work  with  tens  of  thousands  of  cluster- 
based  virtual  machines  at  once.  “It  leverages 
OrangeFS  by  enabling  you  to  have  a  shared 
high-performing  file  system  between  all  clus¬ 
ter  nodes,”  Wilson  says. 

Goasguen  is  collaborating  with  KC  (Kuang- 
Ching)  Wang  to  build  software-defined  net¬ 
works  between  VMs  and  client  machines 
using  OpenFlow,  “which  represents  a  nice 
convergence  point  with  the  university’s  work 
on  OpenFlow,”  he  says. 

Clemson  is  one  of  seven  collaborators  with 
Stanford  on  the  initial  OpenFlow  deploy¬ 
ment.  What  started  out  as  a  tool  to  facilitate 
network  research  by  adding  an  open,  cen¬ 
tralized,  software-defined  layer  of  network 
routing,  OpenFlow  promises  to  “change  the 
whole  way  we  think  about  networking,”  Wil¬ 
son  says.  “A  lot  of  people  are  realizing  they 
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would  like  more  software-based  control  over 
their  network  infrastructure. ...  You  can  do 
some  really  neat  stuff.” 

For  example,  while  it  isn’t  too  painful  for 
Clemson  to  shift  IP  addresses  from  its  main 
data  center  to  a  smaller  center  on  campus 
because  they  share  subnets,  when  you  start 
doing  that  over  long  distances  and  with  mul¬ 
tiple  locations,  it  becomes  extremely  difficult, 
Wilson  says.  OpenFlow  should  vastly  sim¬ 
plify  the  task  by  allowing  dynamic  networks 
to  be  created  and  changed  at  the  infrastructure 
level,  but  also  at  the  application  level,  opening 
up  significant  opportunities  for  improvement 
in  network  flexibility  and  security. 

While  it  is  unclear  when  and  if  Clemson  will 
be  able  to  profit  from  work  on  OpenFlow,  it  is 
already  profiting  from  OrangeFS  and  other 
software  that  is  licensed  through  Omnibond 
Systems,  Wilson  says.  For  example,  compa¬ 
nies  interested  in  OrangeFS  can  purchase  a 
10-server  bundle  from  Omnibond  with  sup¬ 
port  for  $45,000. 

Other  Clemson  work  that  Omnibond 
licenses  includes  identity  management  tools 
(including  drivers  for  Novell’s  Identity  Man¬ 
ager)  and  even  traffic  vision  technology  that 
state  transportation  departments  can  use  to 
help  turn  roadside  video  feeds  into  sensors. 

While  the  license  fees  help  offset  Clemson 
IT  costs,  the  work  also  helps  attract  and  keep 
really  good  people,  Wilson  says. 

Enterprise  IT 

As  important  as  the  HPC  cluster  is,  if  it  goes 
down,  “researchers  understand  that’s  the  way 
life  goes,”  says  CTO  Pepin.  “If  the  enterprise 
side  goes  down,  we  get  fired.  It’s  a  smaller  por¬ 
tion  of  the  computer  electrical  power  but  90% 
of  the  pain,  so  we  care  deeply  about  it.” 

The  enterprise  side  of  the  data  center 
includes  a  mainframe  that  supports  two  major 
systems,  the  main  Medicaid  system  for  the 
state  and  the  university’s  student  information 
system,  which  includes  financial  aid  and  reg¬ 
istration.  “We’re  on  the  front  end  of  a  transi¬ 
tion  to  a  new  Medicaid  system  based  on  MITA 
(the  Medical  Information  Technology  Archi¬ 
tecture)  and  a  student  information  system 
replacement  project,  so  the  mainframe  will 
be  gone  in  about  five  years,”  CIO  Bottum  says. 
The  new  systems  will  be  based  on  redundant 
commodity  hardware  and  virtual  machines. 

The  rest  of  the  enterprise  infrastructure 
—  some  700  x86  boxes,  mostly  Dell  and  Sun 
with  a  little  bit  of  IBM  mixed  in  —  supports 
about  155  applications,  including  everything 
from  email  and  payroll  to  the  school’s  Black¬ 
board  course  management  system.  Most  of 
the  machines  are  running  Linux  but  there  is 
a  modest  amount  of  specific-purpose  Win¬ 
dows  and  some  Unix.  “Our  direction  is  to 
move  toward  Linux,”  Pepin  says.  H 


Multi-layer  tunnel-less 
encryption  for 
highly-available  and 
redundant  networks. 


Protecting  your  data  no 
longer  means  sacrificing 
network  reliability. 
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TOOLS 

Server  scripts,  Web  calendars 
and  form  handlers 


ne  of  my  recent  projects  has  been 
designing  and  building  a  Web  platform 
for  Community  Emergency  Response 
Teams.  CERTs  are  local  organizations 
that  exist  to  provide  emergency  ser¬ 
vices  such  as  fire  suppression,  medical 
assistance  and  search  and  rescue  as 
both  first  responders  as  well  as  a  backup  to  or,  if  things 
are  really  bad,  a  replacement  for  official  services  in 
times  of  disaster. 


in 

Mark  Gibbs' 


Gearhead 


We’re  up  to  beta  stage,  having  just  gotten 
the  thumbs-up  from  the  county  we’re  work¬ 
ing  with. 

The  key  issues  are  to  provide  a  home  for 
each  individual  CERT  where  citizens  can 
find  out  when  courses 
are  available  and  provide 
contact  with  the  organiza¬ 
tion  to  ask  questions  and 
sign  up  for  training. 

So,  we  needed  a  way  to 
support  calendars  for  each 
CERT,  which  led  me  to  a 
calendar  system  written  in 
PHP  called  extCalendar  2. 

What  I  needed  was  a  cal¬ 
endar  that  could  be  edited 
by  inexpert  users  and 
could  be  integrated  with  a 
website  so  that  it  had  a  con¬ 
sistent  look  and  feel  with  the  rest  of  the  con¬ 
tent.  The  problem  is  that  there  really  aren’t  a 
lot  of  choices;  the  majority  are  clumsy  and  or 
downright  ugly  and  making  them  a  seamless 
part  of  a  website  is  hard  work. 

ExtCalendar  was  promising  for  several 
reasons.  First,  it  is  really  nice  looking. 
Second,  site  managers  can  be  given  limited 
access  with  a  name  and  password.  Third, 
it  is  well-commented  and  reasonably  well- 
architected  so  that  untangling  the  code  isn’t 
impossible.  Fourth,  the  hosting  company 
we  use,  Bluehost,  offers  script  installation 


and  management  via  a  third  party  called 
SimpleScripts. 

If  you  run  Linux  or  FreeBSD  with  Apache 
1.3+  and  PHP  4.1+  (with  Safe  Mode  Off), 
SimpleScripts  makes  installing  and  manag¬ 
ing  of  more  than  70  Web 
applications  painless  and 
even  handles  upgrades.  I’ll 
give  SimpleScripts  a  rating 
of  5  out  5. 

One  of  the  applications 
supported  by  SimpleScripts 
is  the  aforementioned  ext¬ 
Calendar,  and  installation 
on  my  Bluehost  account 
was  a  matter  of  a  few  clicks 
and  keystrokes. 

ExtCalendar  is  actually 
pretty  easy  to  configure 
and  hack.  I  made  a  few 
changes  that  removed  the  default  menu  bar 
and  changed  some  of  the  behavior  of  the  user 
interface,  and  voila!  It  did  the  job  quite  nicely. 

Of  course,  as  we  developed  our  ideas  about 
what  is  needed  we’ve  come  to  realize  that 
extCalendar  is  actually  more  than  is  needed. 
I’m  now  exploring  some  simpler  database 
solutions  but  if  I  ever  need  a  general  calendar 
again,  I  might  well  turn  to  extCalendar  again. 
ExtCalendar  gets  a  rating  of  4  out  of  5. 

One  component  of  the  service,  the  form 
for  people  to  contact  the  CERT  organizers, 
led  me  to  use  a  third-party  service  called 


JotForm  instead  of  simply  building  a  form 
that  would  call  the  system  mail  services. 

JotForm  provides  a  really  slick  form  cre¬ 
ation  and  editing  interface  and  builds  very 
sophisticated  embeddable  forms  with  the 
email  routing  of  the  form  content.  The  service 
is  also  compelling  because  it  is  free  for  up  to 
100  submissions  per  month  and  only  $9.95 
per  month  for  up  to  1,000  submissions  (other 
account  levels  are  also  available). 

For  a  more  in-depth  look  at  JotForm  check 
out  this  week’s  issue  of  my  Network  World 
Web  Applications  Alert  newsletter  (“JotForm: 
Forms  done  right!”  tinyurl.com/3pt6yuv). 
JotForm  gets  a  rating  of  5  out  of  5. 

So,  now  we’re  onto  the  next  iteration  of 
the  CERT  platform  design  and  I’m  look¬ 
ing  at  some  other  strategies  for  editing  and 
displaying  course  schedules  that  will  rely 
on  iCal  generators,  RSS  feeds  and  JavaScript 
widgets.  If  I  have  the  opportunity  we  may 
look  at  some  of  these  tools  in  a  few  weeks. 

In  the  meantime,  if  you’ve  got  any  recom¬ 
mendations  for  Web  calendars  and  form  cre¬ 
ation  and  handling  systems,  let  me  know.  ■ 

Gibbs  is  on  time  and  on  form  in  Ventura, 

Calif.  Submit  your  thoughts  to  gearhead@ 
gibbs.com. 


PARITY  BITS 

19% 

The  amount  of  spam 
delivered  to  corporate 
email  users,  despite 
use  of  spam  filters. 


ExtCalendar  2  was  used 
because  it  could  be  easily 
edited  by  inexpert  users. 
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GADGETS 

Sonos  stays  on  top  with  Play:3 
music  system;  Seagate  GoFlex  Turbo 
speeds  up  portable  data  transfer 


Keith  Shaw’s 
Cool  Tools 


Play:3  wireless 
music  system 

by  Sonos,  about  $300 

►  What  it  is:  An  upgrade  to  its  S5  system, 
the  Play:3  from  Sonos  is  an  all-in-one 
wireless  music  system  with  speakers  that 
can  be  easily  connected  to  a  home  network 
(either  connected  directly  via  Ethernet  to  a 
router,  or  wirelessly  with  the  purchase  of 
a  $49  bridge).  Once  connected,  the  Play:3 
will  stream  music  stored  on  a  PC,  Mac  or 
network-attached  storage  device,  or  it  can 
access  several  music  services  or  Internet 
radio  stations  (more  than  100,000,  accord¬ 
ing  to  Sonos). 

The  wireless  mesh  nature  of  the  Sonos 
system  (each  unit  becomes  a  node  in  the 
proprietary  Sonos  wireless  network)  also 
means  you  can  create  a  multi-room  system 
—  the  same  song  can  be  played  simultane¬ 
ously  in  different  rooms  of  your  house,  or 
you  can  stream  different  songs  to  the  other 
rooms.  The  more  you  add  to  the  system,  the 
cooler  it  becomes.  Songs  and  stations  can 
be  controlled  with  an  iPhone,  iPod  Touch, 
iPad  or  Android  smartphones  (via  free  app 
download). 

►  Why  it’s  cool:  The  entire  unit  is  smaller 
than  the  previous  version  (the  S5),  so  it 
can  fit  in  tighter  spots  than  ever  before.  In 
addition,  you  can  rotate  the  Play:3  verti¬ 
cally  to  place  on  a  bookshelf  (the  unit  knows 
what  position  it’s  in),  or  you  can  put  two 


units  within  a  room  and  assign  each  one 
as  a  left  or  right  speaker.  The  lower  price 
(it’s  about  $100  less  than  before)  means 
that  more  people  can  experience  the  Sonos 
universe  without  breaking  the  bank.  As  an 
added  bonus,  the  Ethernet  port  on  the  back 
of  the  Play:3  can  be  used  to  connect  a  PC/ 
notebook,  letting  you  piggyback  the  Sonos 
wireless  mesh  in  case  you  have  a  dead  spot 
in  your  regular  802.11  network. 


2.0, 5400  rpm  counterparts,  and  comes 
with  the  same  GoFlex  design  and  cables  as 
its  other  products  in  the  GoFlex  line.  This 
means  users  can  swap  cables  for  different 
interfaces  (eSATA,  FireWire,  etc.)  without 
needing  to  purchase  a  different  drive.  The 
unit  also  lets  users  swap  files  between  PC 
and  Mac  systems  without  a  need  for  refor¬ 
matting  (although  some  Mac  applications 
may  require  reformatting). 


►  Some  caveats:  Some  music  services 
require  additional  fees/subscriptions  in 
order  to  play  through  the  Sonos  (Spotify,  in 
particular,  required  a  premium  account). 

►  Grade  ★★★★★  (out  of  five). 

GoFlex  Turbo 

by  Seagate,  about  $120  (for 
500GB;  750GB  costs  $140) 

►  What  it  is:  The  GoFlex  Turbo 
portable  hard  drive  features 
a  7200  rpm  drive, 

USB  3.0  interface 
and  a  free  data 
recovery  attempt 
from  SafetyNet 
should  users  lose 
their  data.  The 
drive  can  handle 
transfer  speeds 
up  to  40%  faster 
than  its  USB 


►  Why  it’s  cool:  The  Turbo  lives  up  to  its 
name.  It  is  slightly  faster  than  previous  USB 
3.0  drives  I’ve  tested  —  in  my  tests,  I  got  a  blaz¬ 
ing  101.6  MBps  of  read  speeds,  and  between 
53MBps  and  58MBps  of  write  speeds.  This 
was  up  from  the  approximately  90MBps 
speeds  of  previous  drive  tests,  which  also  used 
USB  3.0  cables  but  were  5400  rpm  drives. 

The  SafetyNet  data  recovery  service  is  free 
for  two  years,  and  will  cover  one  recovery 
attempt  on  the  drive,  and  spe¬ 
cialists  will  let  you 
know  whether  a 
remote  or  in-lab 
service  is  the  best 
way  to  get  back 
data  if  a  mishap 
occurs,  Seagate  says. 

It’s  a  nice  added  bonus  for 
users  worried  about  losing 
any  data  on  the  drive. 

►  Grade  ★★★★-> 

Shaw  can  be  reached  at  kshaw@nww.com. 
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GoFlex 
Turbo  has  an 
added  bonus  for  users 
worried  about  losing  data. 
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Hosted  productivity  suites: 
Google  Apps  or  Microsoft  Office  365? 


IF  YOU  WANT  A  PRODUCTIVITY  solution 
that’s  built  for  modern  times,  then 
Google  Apps  is  your  best  option. 

Office  365  is  analogous  to  taking 
a  gas-powered  car,  replacing  the 
engine  with  a  battery  and  calling  it 
an  electric  vehicle.  In  reality  an  elec¬ 
tric  car  is  designed  from  the  ground 
up  around  how  the  entire  car  should 
work,  from  the  engine  to  the  brakes, 
the  dashboard  and  the  gears. 

That’s  what  you  get  with  Google 
Apps  —  it’s  built  from  the  ground  up 
to  be  a  flexible,  modern,  true  cloud 
platform.  Here  are  some  things  to 
think  about  as  you  compare  Google 
Apps  and  Office  365. 

•  Born  on  the  Web.  We  started  our 
cloud  business  five  years  ago  when 
we  recognized  that  the  way  people 
work  is  fundamentally  shifting.  We  are  more  connected  and  need 
to  work  from  anywhere  and  from  any  device.  The  Web  made  shar¬ 
ing  easy,  and  that  resonated  well  with  early  customers.  Today,  3 
million  businesses  and  counting  have  chosen  Google,  from  com¬ 
panies  such  as  InterContinental  Hotels  Group  to  National  Geo¬ 
graphic,  Virgin  America,  NYU,  the  state  of  Wyoming  and  the  U.S. 
General  Services  Administration. 

•  A  pure  cloud  gets  better  over  time  and  is  always  up  to  date. 
With  Apps,  simply  refresh  your  browser  for  the  latest  innovation. 
Last  year,  our  customers  automatically  received 
more  than  125  new  features.  Conversely,  Office 
365  is  still  about  the  desktop  and  software,  so  it  will 
always  be  tied  to  laborious  and  costly  updates. 

•  Designed  for  teams.  If  your  employees  spend 
most  of  their  time  working  together  rather  than 
on  their  own,  Google  Apps  is  the  better  choice.  We 
work  better  together,  and  ideas  seem  to  flow  when 
we  collaborate.  Google  Docs  allows  multiple  people 
in  the  same  document  and  you  can  see  colleagues 
type  in  real  time.  Instead  of  comments,  Docs  has 
Discussions,  which  bring  others  into  your  docu¬ 
ments  for  rich  conversations.  With  Docs  there's 
no  need  to  worry  about  version  control  or  email 
attachment  overload,  about  checking  a  document 
in  or  out,  or  wondering  if  people  outside  your  com¬ 
pany  use  the  same  software. 

•  Productive  anywhere.  If  your  employees  are 

►  See  Google,  page  22 


SMALL  BUSINESSES  TODAY  ARE  LOOK- 

IN  G  for  ways  to  improve  productivity 
and  collaboration  while  reducing  IT 
costs.  However,  many  lack  the  time 
and  resources  to  obtain  the  technolo¬ 
gies  the  world’s  leading  businesses 
use  every  day.  Microsoft  Office  365, 
which  brings  together  Microsoft 
Office,  Microsoft  SharePoint,  Micro¬ 
soft  Exchange  and  Microsoft  Lync  in 
an  always-up-to-date  cloud  service, 
changes  all  that. 

With  Office  365,  businesses  of  all 
sizes  can  get  the  same  robust  capabili¬ 
ties  that  have  given  bigger  businesses 
an  edge  for  years,  and  their  employ¬ 
ees  get  new  ways  to  work  together 
with  ease  using  familiar  Office  appli¬ 
cations  they  already  know  and  love. 
Whether  you’re  located  in  a  large 
metropolitan  city  or  a  rural  town,  we  believe  you  should  be  able 
to  work  the  way  that’s  best  for  you.  Office  365  reflects  this  belief 
—  whether  it’s  the  freedom  to  access  the  service  from  almost  any¬ 
where  on  virtually  any  PC,  mobile  phone  or  Web  browser,  or 
whether  it’s  working  with  the  tools  businesses  already  have. 

With  Office  365,  it  doesn’t  matter  where  your  technology  lives. 
We  offer  applications  and  services  that  allow  some  parts  of  your 
business  to  use  on-premise  tools  while  others  work  in  the  cloud. 
The  choice  regarding  what,  when,  where  and  if  you  want  to  move 
to  the  cloud  is  yours  to  make.  So,  while  some  of 
our  competitors  fight  to  make  productivity  solely 
about  the  cloud,  we’re  more  interested  in  helping 
you  create,  edit  and  share  content  that  makes  you 
and  your  business  shine. 

Built  for  business 

The  way  people  work  together  has  evolved  over  the 
years,  and  Microsoft  Office  has,  too.  Unfortunately, 
many  small  businesses  haven’t  had  access  to  enter¬ 
prise-class  tools,  which  are  better  suited  to  meeting 
the  needs  of  an  increasingly  mobile  workforce. 

Some  of  these  businesses  have  been  forced  to 
collaborate  via  email  attachments,  use  their  per¬ 
sonal  email  account  to  send  professional  commu¬ 
nications,  and  had  no  way  to  view  and  edit  docu¬ 
ments  on  a  mobile  phone.  Having  the  wrong  tools 
for  any  job  is  not  only  cumbersome,  it  also  isn’t 

►  See  Microsoft , page  22 
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►  Google,  from  page  20 

highly  distributed  and  mobile,  then  Google  Apps  is  a  compel¬ 
ling  choice.  Gone  are  the  days  of  the  homogenous  workforce  with 
Windows-issued  PCs  and  BlackBerries.  Workers  want  the  choice 
to  use  the  device  du  jour,  so  today’s  productivity  applications  need 
to  support  virtually  every  platform.  Google  Apps  is  designed  to 
work  well  on  any  device,  on  any  operating  system;  Office  365  is 
optimized  for  Windows-based  PCs  and  Windows  Phone  7.  With 
Google  Apps  you  can  sync  email,  calendars  and  documents  to  your 
device,  edit  them  on  the  go  and  share  from  anywhere.  You  can  start 
a  document  on  your  computer,  move  to  your  tablet  and  finish  on 
your  phone,  then  send  it  to  your  boss  or  to  the  world. 

•  Simple  and  affordable.  If  you’d  rather  not  write  a  big  check 
and  use  a  decoder  ring  to  determine  what’s  included  in  your 
cloud  offering,  go  with  Google.  With  Google  Apps  we  have  a  sin¬ 
gle,  transparent,  low  price  that  meets  everyone’s  needs:  $50  per 
user,  per  year  —  for  all  businesses  of  all  sizes.  The  same  product  is 
simple  enough  for  the  small  company,  and  powerful,  flexible  and 
customizable  enough  for  the  largest  enterprises.  This  year  we  also 
introduced  a  monthly  no-commit  option  at  $5  per  user,  per  month, 
and  there  have  never  been  extra  fees  for  basics  like  24/7  phone  and 
email  support,  which  Office365  doesn’t  offer  to  small  businesses. 

•  Security  and  reliability.  Running  a  reliable  and  secure  cloud- 
based  service  at  a  large  scale  is  challenging,  and  we  have  an  excel¬ 
lent  track  record.  This  year  Gmail  has  been  available  99.99%  of  the 
time,  which  translates  to  less  than  five  minutes  of  downtime  per 
month.  That  includes  all  downtime  for  any  and  all  users. 

A  parting  thought:  Challenge  assumptions  and  explore  your 
choices.  There  was  a  time  when  abandoning  the  old  typewriter 
was  the  more  efficient,  rational  option,  yet  many  still  clung  to  its 
comfort  and  familiarity.  Just  look  at  where  moving  on  from  the 
typewriter  has  gotten  us.  We  hope  you  make  a  similar  choice  in 
this  new  era.  ■ 


►  Microsoft,  from  page  20 
very  professional. 

Neither  is  being  forced  to  make  do  with  consumer-grade  appli¬ 
cations  that  were  retrofitted  for  the  business  world.  Office  365  com¬ 
bines  world-leading  productivity  tools  with  advanced  IT  controls, 
enterprise-grade  security  technologies,  24/7  support  and  the  reli¬ 
ability  people  have  come  to  expect  from  Microsoft. 

Businesses  care  about  features  and  functionality  but,  when 
evaluating  productivity  platforms,  what  they  are  really  voting 
for  is  the  future.  That  “vote”  is  cast  with  hard-earned  dollars 
and  comes  with  a  set  of  expectations  around  what  they’ll  receive. 
That’s  why  leading  companies  such  as  Coca-Cola  Enterprises, 
Sartorius  Group,  Rexel  and  Toyota  Boshoku  Corp.;  governments 
such  as  the  Northern  Ireland  Assembly,  the  state  of  California, 
Barcelona,  Spain,  and  New  York;  educational  institutions  such 
as  the  Salesian  School  of  Hong  Kong  and  New  York  City  public 
schools,  and  thousands  of  small  businesses  around  the  world  are 
choosing  Microsoft. 

We’re  proud  some  of  the  world’s  leading  companies  have  chosen 
to  run  their  businesses  on  Office  365,  and  that  honor  comes  with  a 
lot  of  responsibility.  We  know  our  customers  rightfully  expect  us 
to  help  protect  their  data  and  respect  their  privacy. 

Office  365  offers  a  range  of  service  plans  for  a  monthly  price 
from  $2  to  $27  per  user  per  month.  With  Office  365  for  small  busi¬ 
nesses,  customers  can  be  up  and  running  with  Office  Web  Apps, 
Microsoft  Exchange  Online,  Microsoft  SharePoint  Online,  Micro¬ 
soft  Lync  Online  and  an  external  website  in  minutes,  for  $6  per 
user,  per  month.  These  tools  put  enterprise-grade  email,  shared 
documents,  instant  messaging,  video  and  Web  conferencing,  por¬ 
tals  and  more  at  everyone’s  fingertips.  11 
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Can  you  really  compare? 

©  When  looking  at  Office  365  along¬ 
side  Google  Apps,  can  you  even  use 
the  line  “same  but  different”?  I  don’t 
believe  you  can.  While  Google  Apps  is 
apparently  seen  as  the  innovator  in 
the  software-as-a-service  space,  it  is 
actually  far  behind.  Microsoft  has  been 
offering  cloud  services  for  consumers 
for  longer,  and  has  even  had  a  hosted 
commercial  Exchange  offering  for  longer 
than  Google  Apps  has  been  in  existence. 

Where  Google  says  simplicity  in  pricing, 

I  see  lack  of  choice  and  flexibility,  Where 
Google  Says  its  offering  does  not  rely  on 
desktop  software,  I  see  lock-in  and  limited 
or  no  Offline  access,  let  alone  the  ability  for 
H/W  hybrjd  environments, 
bp  j'  V.,  )  pRstomers  need  the  power  of  choice 

'  .pen  looking  at  business  solutions. 
v£>  v  Microsoft  delivers  that  every  time. 
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Open  API  is  important 

©  GoogleDocs  provides  an  API  so  many 
new  Web  2.0  companies  can  integrate  or 
can  interface  its  data  through  a  secured 
connection  under  user's  permission. 
Microsoft  Office365  and  its  storage 
SkyDrive  do  not  provide  such  API  to  public. 

There  are  many  third-party  services  for 
search,  backup,  printing  and  collaboration 
that  would  give  a  better  experience  to 
users  if  Microsoft  opened  the  door.  Tradi¬ 
tional  SDK  for  local  computer  software  is 
not  enough.  As  other  SaaS  companies  do, 
Microsoft  needs  to  announce  Web  service 
API  to  third  parties  whether  Office  365  is 
free  or  subscription.  YOUNG  SONG 

Office  365  vs.  Google  Apps 

©  Google  gets  props  for  fewer  depen¬ 
dencies  for  on-premise  software  and 
a  much  richer  API  and  a  much  easier 


to  use  calendar  system  that  works  for 
multiple  people  without  a  lot  of  gym¬ 
nastics.  Microsoft  could  learn  from 
studying  Google  Calendar  for  sure. 

That  said,  the  Software  Plus  Services 
that  Microsoft  promoted  a  few  years  ago 
is  still  the  way  to  go,  because  the  browser 
was  not  designed  to  be  an  application 
engine.  For  rich  user  experience,  you  are 
going  to  have  to  have  client-side  solutions. 
For  example,  the  macro  capabilities  built 
into  Word  let  you  connect  to  SharePoint 
Online  list  to  do  mail  merge.  Access  can  be 
interactive  with  SharePoint  as  can  Excel. 
Plus  there  are  things  you  can  do  in  Office 
that  you  can’t  in  a  browser,  such  as  imbed¬ 
ding  a  PowerPoint  object  right  into  Word. 

Finally,  the  partner  model  for  Office  365 
ensures  that  customers  who  want  it,  can 
be  in  a  relationship  with  certified  experts 
that  can  help  them  do  more,  go  deeper 
and  get  there  faster.  There’s  more  going 
on  here  than  just  features.  BRETT  HILL 
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R  CHOICE  TEST:  NEXT-GENERATION  FIREWALL 

fgjd  Alto  earns  short  list  status 

Add-aware  firewall  proves  especially  useful  for  controlling  outbound  traffic 


NYDER 

■  i  - 


alo  Alto  Networks  has  injected 
excitement  and  innovation  into 
thi?  firewall  market  with  its  “next- 
,  generation”  appliances  that  com- 

_ _  bine  traditional  firewalls,  threat 

mitigation  technologies  such  as  anti-malware 
and  intrusion  prevention,  and  the  new  magic 
dust  of  application  identification. 

We  first  tested  Palo  Alto  in  late  2008  and 
found  the  PA-4020  to  be  an  interesting  prod¬ 
uct  that  still  needed  work.  This  time  around, 
we  tested  Palo  Alto’s  newest  high-end  appli¬ 
ance,  the  PA-5060,  and  found  plenty  to  love. 

The  product  clocked  multi-gigabit  speeds 
even  .  with  all  threat  mitigation  and  identi¬ 
fication  features  enabled,  proving  that  it’s 
capable  Of  conducting  deep  session  analysis 
in  an  enterprise  setting.  In  fact,  using  the 
exsict  Same  test  scenario,  the  PA-5060  for¬ 
warded  traffic  ID  times  faster  than  the 
product  tve  tested  in  2008. 

.  With  a  solid  basic  firewall  feature 
set  and  UTM  protections  such  as 
anti-malware  and  intrusion-preven¬ 
tion  system  (IPS),  the  PA-5060  can  be 
Used  for  inbouhd  traffic.  And  its  application 
awareness  makes  it  even  better  suited  as  an 
outbound  fifeWall,  giving  extended  visibil¬ 
ity  into  What  ^happening,  and  fine-grained 
control  over  what  is  allowed. 

Of  course,  rio  product  is  perfect.  Palo 
AltO  Networks  is  a  relatively  new  company 
with  limited  resources,  and  features  such  as 
centralized  management,  Web-based  GUI, 
VPH  find  network  access  control-like  user 
identification  and  host  scanning  could  be 
improved  upon. 

However,  none  of  these  rough  spots  should 
stop  network  pianagers  from  looking  care¬ 
fully  at  the  PA-5060,  especially  when  tack¬ 
ling  the  thorny  problem  of  outbound  access 
control.  The  PA-5060  is  also  able  to  replace 
some  Web  security  gateways,  with  the 
advantage  of  Combining  firewall  and  gate¬ 
way  in  a  single  device, 
j*  i  ;  i[  }  |  1  ’ 

f ;  ■  ,\j\  ’  ;■  r  n 

Effective  outbound  traffic  control 

Security-conscious  network  managers 
have  long  known  that  port  number  is  not 
the  skme  as  application.  For  example,  two 
applications  can  share  the  same  port,  such 
as  Skype  andfWeb  browsing,  over  TCP  Port 
80.  And,  an  application  can  change  ports. 

A  firewall  rule  that  allows  incoming  traffic 
to  specific  ports  is  generally  sufficient,  since 
you  control  your  own  servers  and  know 
what  applications  are  running  on  them  —  in 
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Company 


Palo  Alto 
Networks 


Product 

PA-5060  Next- 
Generation  Firewall 

Price 

Firewall  (with 
application 
aware  features): 
$120,000;  UTM 
features,  $26,000 

Pros 

Strong  forwarding 
rates;  no  performance 
penalty  for  app 
aware  features; 
no  performance 
penalty  for  turning 
on  additional 

UTM  features. 

Cons 

Performance  slows 
down  when  UTM,  SSL 
decryption  enabled. 

theory,  at  least.  While  the  PA-5060  can  be 
used  for  inbound  traffic,  we  focused  on  out¬ 
bound  traffic,  such  as  Web  browsing. 

Outgoing  traffic  has  long  ignored  the  idea 
of  specific  port  numbers,  with  applications  of 
all  types  running  over  whatever  port  seemed 
good  at  the  time.  Network  managers  using 


port  restrictions  to  control  applications  such 
as  Amazon  Cloud  Drive  or  Google  Talk  File 
can’t  easily  do  so,  because  those  applications 
are  happy  to  run  over  the  traditional  port  for 
encrypted  Web  traffic,  443. 

Controlling  outbound  mail  traffic  by  redi¬ 
recting  everything  sent  to  ports  25, 587  and 
495,  the  common  SMTP  ports,  to  enterprise 
mail  servers  works  only  as  long  as  no  one 
out  on  the  Internet  is  running  SMTP  on  yet 
another  alternative  port. 

Even  without  the  effects  of  crafty  appli¬ 
cations  and  crafty  users,  enterprise  net¬ 
work  managers  want  greater  granularity 
than  allowing  or  denying  all  Web  brows¬ 
ing.  Because  so  many  applications  are  now 
run  through  Web  browsers,  allowing  gen¬ 
eral  Web  browsing  while  blocking  specific 
applications  is  one  of  the  reasons  to  use  a 
next-generation  firewall.  Or  you  may  want 
to  go  deeper,  such  as  letting  people  read 
blogs,  but  not  let  them  post  to  blogs.  Or 
read  Facebook,  but  not  run  Facebook 
applications  or  use  Facebook  chat. 

We  tested  the  PA-5060  to  determine 
if  it  could  do  what  Palo  Alto  says  it  can: 
effectively  control  application  traffic. 
With  about  1,300  application  signatures, 
we  knew  that  we  couldn’t  test  every  applica¬ 
tion.  So  we  picked  a  set  of  100  common  appli¬ 
cations  that  we  thought  network  managers 
might  want  to  use  as  policy  building  blocks. 

Our  first  challenge  came  because  many 
applications  can  be  effectively  blocked  using 
URL  filtering,  and  the  PA-5060  handles 
URL  filtering  separately  from  application 
identification.  This  requires  some  rethink¬ 
ing  of  security  policy,  because  you  may  use 
URL  filtering  for  some  parts  and  application 
identification  for  others.  For  example,  to 
block  access  to  investing  websites,  we  used 
“financial  services”  URL  filtering,  but  to 
block  people  from  posting  to  financial  web¬ 
sites,  we  created  an  application  group  with 
applications  such  as  “motleyfool-posting” 
and  “google-finance-posting”  to  control  that 
traffic.  In  some  cases,  such  as  blocking  Inter¬ 
net  proxies,  we  used  both  URL  filtering  and 
application  identification. 

In  the  end,  we  were  able  to  block  83%  of 
the  applications  we  set  out  to  block,  and  we 
probably  could  have  improved  that  score  by 
adding  our  own  custom  signatures. 

Our  conclusion  is  that  the  PA-5060  has 
more  than  most  managers  would  need  to 
control  outbound  application  usage.  While 
splitting  application  controls  between  URL 
filtering  and  application  identification  can  be 
error-prone  and  time-consuming,  we  didn’t 
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find  the  additional  work  to  be  a  show-stopper. 

We  did  discover  that  working  with  the 
PA-5060  requires  some  new  ways  of  thinking. 
In  theory,  since  you’re  writing  rules  based  on 
application  identification,  you  actually  don’t 
have  to  put  port  numbers  in  your  firewall 
rules,  at  least  in  the  outbound  direction. 

However,  by  not  putting  port  numbers  in, 
the  PA-5060  allows  all  outbound  connec¬ 
tions,  only  cutting  off  traffic  once  something 
prohibited  is  found.  That  can  have  other  side- 
effects,  such  as  letting  short  bits  of  traffic  out 
that  you  weren’t  expecting.  We  found  a  bug  in 
the  beta  version  we  first  evaluated  using  an 
outbound  policy  without  most  port  numbers. 
The  PA-5060  allowed  entire  connections  that 
should  have  been  prohibited.  Palo  Alto  Net¬ 
works  fixed  the  bug  quickly,  but  it’s  an  exam¬ 
ple  of  the  kind  of  issue  that  can  come  up. 

Since  the  PA-5060  must  look  deep  into  out¬ 
bound  traffic  to  identify  applications,  some 
type  of  man-in-the-middle  SSL  decryption  is 
required.  Configuring  and  using  SSL  decryp¬ 
tion  is  not  difficult,  and  the  PA-5060  has  a 
very  well  thought-out  model  for  handling  it. 
For  example,  a  proper  configuration  gives  the 
PA-5060  two  different  certificates  to  use  to  re¬ 
encrypt  traffic:  one  considered  valid  by  end 
users  and  one  considered  invalid. 

This  lets  the  PA-5060  properly  pass  back 
to  the  end  user  cases  where  an  invalid  certifi¬ 
cate  was  offered  by  an  upstrear/i  website.  SSL 
decryption  is  handled  in  a  separate  policy 
from  normal  firewall  rules,  another  well- 
designed  feature. 

The  last  piece  of  next-generation  firewall 
wizardry  we  looked  at  was  the  ability  to 
identify  users,  and  write  rules  based  on  user, 
rather  than  just  zone  or  IP  address.  While  the 
PA-5060  definitely  has  this  feature,  there  are 
significant  limitations. 

Gathering  user  identification  information 
is  hard.  One  option  is  the  built-in  captive  por¬ 
tal,  which  may  be  useful  in  a  guest  wireless 
network  or  an  environment  where  network 
users  are  accustomed  to  such  gateways,  such 
as  a  university  network.  But  we  don’t  think 
that  enterprises  would  find  this  acceptable. 

The  other  is  via  a  Windows  application 
which  captures  domain  authentications  and 
IP  addresses  out  of  the  event  logs  from  Active 
Directory  servers.  That  would  work  fine  in  a 
very  constrained,  very  homogeneous  envi¬ 
ronment,  but  would  miss  a  lot  of  users  in 
others. 

This  difficulty  isn’t  actually  the  PA-5060’s 
fault:  No  one  has  come  up  with  a  particularly 
good  way  to  capture  this  information  short  of 
deploying  802.1X  and  some  type  of  NAC  on 
their  LAN.  Unfortunately,  if  you  did  enable 
802.1X,  the  PA-5060  has  no  ability  to  gather 


that  information  from  NAC  products. 

With  user  identification  fully  integrated 
into  the  normal  policy  rules,  it’s  easy  to  con¬ 
strain  outbound  access  based  on  who  the  user 
is.  Unfortunately,  getting  that  information  is 
so  difficult  that  we  think  this  will  have  lim¬ 
ited  usefulness  in  large  networks  and  works 
best  in  small  environments,  such  as  branch 
offices. 

User  identification  is  the  incomplete  piece 
that  would  let  the  PA-5060  take  on  another 
significant  enterprise  security  market,  the 
Web  security  gateway  or  Web  proxy.  The 
PA-5060  does  everything  that  enterprise 
products  from  vendors  such  as  Blue  Coat  Sys¬ 
tems,  Cisco,  McAfee  and  Websense  do. 

If  Palo  Alto  Networks  wants  to  fully  take  on 
these  giants  in  all  market  niches,  it  will  need 
to  work  harder  on  user  identification. 

Even  if  you  don’t  choose  to  write  access 
control  rules  based  on  user  identification, 
there  is  a  good  reason  to  collect  that  informa¬ 
tion:  It  appears  in  the  log  files.  Since  every 
session  is  logged  with  extensive  information, 
adding  user  identification  just  makes  the  job 
of  the  security  analyst  that  much  easier.  For 
this  reason,  we’d  recommend  turning  on  user 
identification,  even  if  it  doesn’t  properly  iden¬ 
tify  100%  of  network  users. 

Eye-opening  visibility  features 

Traditionally,  firewalls  have  been  control 
points  for  security,  and  network  managers 
who  want  to  know  what  is  happening  on  their 
networks  turn  to  other  devices  and  other  ven¬ 
dors.  We  expect  that  next -generation  firewalls 
will  begin  to  be  more  than  control  points,  and 
will  start  to  also  answer  the  question,  “What 
traffic  is  passing  over  the  network?” 

This  visibility  and  reporting  function  won’t 
obviate  the  need  for  IDSs,  Netflow  tools  and 
protocol  analyzers.  Instead,  it  will  supplement 
them  by  giving  detailed  information  on  what  is, 
and  is  not,  passing  through  the  firewall  itself. 

The  main  reason  for  adding  visibility,  a 
radical  increase  in  functionality,  is  the  need 
for  matching  context  between  reporting  and 
rule  writing.  The  additional  functionality  of 
a  next-generation  firewall,  including  appli¬ 
cation  identification  and  user  identification, 
requires  reporting  to  use  the  exact  same 
terms  as  the  firewall  controls. 

For  example,  our  PA-5060’s  reports  broke 
traffic  to  our  Web  servers  into  five  separate 
categories:  Web-browsing,  Web-crawlers, 
http-audio,  http-video  and  flash.  Without 
knowing  exactly  how  the  firewall  was  going 
to  categorize  the  traffic,  we  couldn’t  effectively 
write  rules  to  control  the  traffic. 

Adding  a  visibility  function  also  makes 
sense  because  the  firewall  has  already  done 


most  of  the  work.  Next-generation  firewalls 
are  constantly  engaging  in  deep  session 
inspection  to  identify  applications,  threats, 
URLs,  and  other  attributes  of  the  session,  in 
order  to  apply  their  rules.  Therefore,  it’s  rea¬ 
sonable  to  reuse  that  work  by  reporting  on 
what  is  passing  through  the  firewall. 

The  Palo  Alto  Networks  PA-5060  has  so 
many  good  reporting  and  visibility  tools  that 
it’s  easy  to  forget  that  it’s  a  firewall.  But  that’s 
important  to  keep  in  mind,  because  although 
the  tools  work  great,  they  only  take  you  so  far 
—  and  the  PA-5060  is  not  a  complete  replace¬ 
ment  for  other  visibility-focused  products. 

The  main  starting  point  for  viewing  your 
traffic  is  the  PA-5060’s  Application  Com¬ 
mand  Center,  which  shows  a  constantly 
updated  list  of  top  applications,  source  and 
destination  hosts  and  countries,  URL  filtering 
categories,  IPS  rules,  data  types  (such  as  ZIP, 
PDF,  Excel  file,  etc.)  and  a  few  other  categories. 
This  view  alone  will  likely  be  an  eye-opener  for 
most  network  managers,  as  most  of  this  is  not 
available  in  traditional  visibility  tools. 

For  example,  the  PA-5060  told  us  that  the 
top  application  (both  in  terms  of  sessions  and 
of  byte  counts)  running  on  our  networks  was 
not  what  we  expected  —  Web  traffic  of  some 
kind,  or  maybe  email  —  but  something  com¬ 
pletely  different:  DNS.  More  importantly,  by 
clicking  through  the  Web-based  reports,  we 
were  able  to  drill  down  further  to  identify  the 
misbehaving  hosts. 

The  Application  Command  Center  only 
has  summary  information  in  it,  giving  you 
lists  of  up  to  500  items  for  any  time  frame 
you  choose.  That  sounds  good,  although  we 
found  that  asking  for  more  than  the  past  24 
hours  was  slow  going.  Still,  if  you  wanted  to 
get  those  top  lists  for  the  past  month  and  were 
willing  to  wait  a  few  minutes,  the  PA-5060 
could  give  it  to  you. 

The  Application  Control  Center  is  great 
for  what  it  is,  but  it’s  not  re-summarizing 
the  firewall  logs  every  time  you  click.  This 
means  that  trying  to  filter  the  data  on  some¬ 
thing  that  the  PA-5060  is  not  reporting  on 
can’t  be  done.  For  example,  since  there  is  no 
report  on  “port  number,”  you  can’t  summa¬ 
rize  all  traffic  on  port  80. 

To  get  deeper,  the  PA-5060  has  a  pastiche  of 
additional  tools.  The  most  useful  include  log 
analyzers  and  periodic  reporting  tools.  Jump¬ 
ing  between  the  Application  Control  Center 
and  the  detailed  log  analysis  tools  is  easy, 
because  once  you’ve  narrowed  down  what 
you  want  to  look  at,  the  filter  is  automatically 
passed  over  into  the  log  analyzer. 

The  log  analyzers  are  one  place  where  it’s 
easy  to  get  carried  away.  For  example,  once 
you’ve  spent  a  while  building  a  great  filter  to 
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identify  a  particular  subset  of  traffic,  it  would  be 
nice  to  be  able  to  dump  that  filter  into  a  report¬ 
ing  tool  and  get  a  summary  report.  Unfortu¬ 
nately,  you  can’t  —  although  we  found  it  hard 
to  hold  this  against  the  PA-5060,  because  it 
already  was  telling  us  more  information  about 
our  network,  faster,  and  in  more  detail  than 
most  of  the  other  visibility  tools  we  had. 

Not  everything  is  perfectly  thought-out.  A 
series  of  flashy  tools  collected  under  the  generic 
title  “App  Scope"  are  just  silly,  ranging  from  the 
poorly  designed  Summary  page,  which  mixes 
graph  types  and  time  frames  into  a  confusing 
jumble  of  misdirection,  to  the  “why  is  this  use¬ 
ful”  traffic  map,  which  draws  different-sized 
and  -colored  dots  on  a  map  in  an  attempt  to 
show  where  your  traffic  is  going. 

Still,  the  visibility  tools  are  so  good  that  it’s 
difficult  to  find  serious  fault  with  the  PA-5060. 
We  don’t  think  that  you’d  want  to  buy  the 
PA-5060  as  a  visibility  tool  all  on  its  own,  and 
Palo  Alto  Networks  isn’t  selling  it  that  way. 
But  having  such  sophisticated  and  powerful 
ways  to  look  into  the  network  traffic  crossing 
your  firewall  could  easily  sway  the  decision 
to  buy  the  PA-5060  instead  of  a  traditional 
firewall,  even  if  you  didn’t  think  you  wanted 
next-generation  firewall  functionality. 

Basic  firewall  features  are  solid 

Before  a  firewall  can  be  a  next-generation  fire¬ 
wall,  it  has  to  cover  the  basics  of  a  plain-old 
firewall.  In  our  2007  tests  of  UTM  firewalls, 
we  identified  characteristics  that  any  firewall 
must  have  to  be  considered  a  proper  enterprise 
product,  including  firewall,  VPN  and  NAT 
functionality,  advanced  networking  support 
(such  as  link  aggregation  and  virtual  LANs), 
high  availability  and  high  performance,  global 
management,  extended  IP  functionality  (rout¬ 
ing,  QoS  and  IPv6)  and  global  management. 

We  started  by  testing  basic  firewall  func¬ 
tionality:  writing  rules  to  allow  and  block  traf¬ 
fic,  implement  source  and  destination  NAT 
policies  and  build  site-to-site  VPNs. 

The  main  configuration  interface  is  a  Web- 
based  GUI,  although  a  command-line  inter¬ 
face  (CLI)  is  also  available.  Network  managers 
who  prefer  the  easy  simplicity  of  Cisco  IOS  or 
Juniper’s  ScreenOS  CLI  will  discover  that  the 
Palo  Alto  CLI  is  more  like  editing  raw  XML, 
and  not  nearly  as  simple  or  straightforward 
to  learn  or  use. 

The  productivity-killing  part  of  the  Web- 
based  GUI  is  the  commit  model.  After  mak¬ 
ing  changes  in  the  user  interface,  you  have  to 
“commit”  the  changes  to  the  firewall.  There’s 
nothing  wrong  with  that,  except  that  a  com¬ 
mit  takes  about  2S  seconds.  When  you’re 
making  occasional  changes,  the  commit  delay 
is  a  mild  annoyance.  When  you’re  debugging 


and  making  rapid  small  changes,  slow  com¬ 
mits  become  a  significant  speed  bump.  Don’t 
think  that  using  the  CLI  will  save  you  —  the 
same  commit  delay  applies. 

We  took  our  lab’s  existing  main  production 
Juniper  ScreenOS  firewall  policy,  with  182 
rules  in  it,  and  tried  to  convert  it  to  fit  into  the 
Palo  Alto  firewall.  The  job  was  easier  than  we 
had  imagined,  because  Palo  Alto  has  fixed  one 
of  our  long-standing  design  complaints  about 
the  Juniper  firewall:  the  inability  to  put  more 
than  one  security  zone  in  a  single  firewall  rule. 
The  PA-5060  supports  rules  with  more  than 
one  security  zone,  which  let  us  shrink  our  pol¬ 
icy  down  by  a  third.  Smaller  policies  simplify 
firewall  management,  and  reduce  the  risk  that 
human  error  will  introduce  a  security  hole. 
The  Palo  Alto  Networks  firewall  won  points 
for  both  transparency  and  simplicity. 

We  were  also  able  to  move  our  NAT  con¬ 
figuration,  with  both  source  and  destina¬ 
tion  NAT  rules,  easily.  We  had  less  success, 
though,  in  trying  to  move  our  site-to-site 
VPN  configuration.  The  Palo  Alto  firewall 
has  an  extensive  site-to-site  IPsec  VPN  capa¬ 
bility,  and  we  were  successfully  able  to  build 
tunnels  and  pass  traffic  with  Cisco,  Juniper 
and  SonicWall  firewalls. 

We  don’t  think  network  managers  with 
large  VPN  deployments  will  want  to  move 
to  Palo  Alto  quite  yet.  Panorama,  Palo  Alto’s 
centralized  management  tool,  doesn’t  build  or 
manage  VPNs  across  firewalls,  meaning  any 
large  deployment  has  to  be  built  by  hand.  Also, 
Palo  Alto  firewalls  only  support  route-based 
VPNs,  meaning  that  traffic  is  pushed  into  tun¬ 
nels  by  routing  tables  rather  than  the  Security 
Policy  Database  called  for  by  the  IPsec  stan¬ 
dards.  That  meant  we  had  to  do  some  re-engi¬ 
neering  of  policy  and  our  NAT  configuration 
to  fully  rebuild  our  five-site  VPN.  For  small 
VPNs,  or  large  VPNs  that  don’t  change  very 
often,  Palo  Alto  will  work  fine.  But  the  product 
isn’t  at  the  same  level  of  power  and  flexibility 
that  other  enterprise  firewalls  support. 

The  PA-5060  firewall  passed  all  our  other 
enterprise  firewall  functionality  tests  with 
no  problems  and  a  minimum  of  unexpected 
behavior.  We  were  successfully  able  to  con¬ 
figure  and  use  dynamic  routing,  QoS  features 
and  networking  features,  such  as  link  aggrega¬ 
tion  and  VLAN  tagging.  You  shouldn’t  buy  the 
PA-5060  firewall  to  use  primarily  as  a  WAN 
router  or  a  bandwidth  management  device, 
but  that’s  no  different  a  conclusion  than  we’d 
make  about  any  of  the  enterprise  firewalls  on 
the  market  today.  The  PA-5060  supports  both 
active/passive  and  active/active  high  availabil¬ 
ity,  but  we  did  not  test  this  feature. 

We  were  also  impressed  that  the  PA-5060 
came  out  of  the  box  with  a  full  set  of  IPv6 
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capabilities,  including  firewall  rules,  applica¬ 
tion  identification  and  control,  static  routing 
and  management  and  monitoring  tools.  The 
only  missing  piece  is  dynamic  routing.  Our 
testing  did  exercise  some  IPv6  bugs,  though, 
as  we  managed  to  lock  up  the  IPv6  side  of  the 
firewall,  requiring  a  system  reboot. 

The  Panorama  centralized  management 
tool  makes  it  easy  to  transition  from  single 
firewall  to  multiple  firewall  management. 
Security  policies  and  policy  objects  can  be 
built  in  Panorama  and  pushed  to  multiple 
firewalls,  which  covers  the  biggest  use  case 
for  centralized  management. 

The  Panorama  management  model  will  be 
attractive  to  network  managers  who  want  to 
share  management  between  a  central  author¬ 
ity  and  individual  network  managers,  such  as 
in  branch  offices.  Panorama  doesn’t  take  over 
the  entire  firewall;  instead,  the  Panorama-cre¬ 
ated  security  policy  is  merged  with  individual 
policies  on  each  firewall. 

Even  if  you  don’t  use  Panorama  for  configu¬ 
ration  of  firewalls,  it  still  brings  a  benefit  by 
collecting  and  reporting  on  log  information 
for  multiple  firewalls  at  the  same  time. 
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As  an  enterprise  firewall,  the  PA-5060  can 
certainly  be  a  credible  competitor  to  products 
from  Check  Point,  Cisco,  Juniper  and  Son- 
icWall.  While  we  found  some  weaknesses,  net¬ 
work  managers  should  definitely  consider  Palo 
Alto  firewalls  for  enterprise  deployments. 

UTM  features  are  broad,  granular 

Next-generation  firewall  vendors  don’t  like 
the  term  “UTM”  (Unified  Threat  Manage¬ 
ment)  very  much  because  UTM  products 
have  been  unfairly  painted  as  only  appro¬ 
priate  for  small  businesses.  However,  next- 
generation  firewalls  need  threat  mitigation 
features  just  as  much  as  UTM  firewalls 
do.  While  the  buzzword  police  fight  out  the 
differences  and  split  hairs,  we  tested  the 
PA-5060’s  UTM  features,  including  IPS, 
anti-malware  and  URL  filtering. 

The  PA-5060  lumps  threat  management 
and  mitigation  into  a  set  of  seven  policies  col¬ 
lected  together  as  Security  Profiles.  The  seven 
policies  include  traditional  anti-malware,  vul¬ 
nerability  protection  (IPS  policy),  and  URL 
filtering,  as  well  as  the  slightly-more-unusual 
file  blocking,  data  filtering  and  denial-of-ser- 
vice  (DoS)  attack  protections. 

For  every  rule  that  lets  traffic  through  the 
firewall,  you  can  apply  a  separate  Security 
Profile.  This  would  let  you  apply,  for  example, 
one  set  of  DoS  protections  to  seldom-used 
Web  servers  and  a  different  set  to  heavily 
used  ones.  Or,  you  could  apply  different  IPS 
signatures  for  incoming  traffic  than  for  out¬ 
going.  Since  PA-5060  rules  can  also  include 
user  identification,  you  could  even  have  dif¬ 
ferent  sets  of  URL  filtering  rules  depending 
on  whether  the  user  is  identified  or  not.  We 
tried  all  of  these  things  and  were  able  to  suc¬ 
cessfully  show  a  high  level  of  granularity. 

Overall,  the  configuration  of  UTM  features 
is  easy  and  flexible.  Unlike  some  firewalls 
where  the  UTM  features  are  systemwide  or 
apply  to  all  traffic,  we  found  the  ability  to  tie 
different  threat  protection  profiles  to  different 
sets  of  traffic  both  intuitive  and  useful.  The 
PA-5060  has  adopted  an  easy-to-use  model 
with  the  right  amount  of  flexibility. 

When  we  looked  in  detail  at  some  of  the 
UTM  features,  we  found  that  the  anti-malware 
detection  rate  was  good,  but  not  great.  We 
tested  using  a  set  of  fresh  viruses  that  had  been 
caught  by  our  enterprise  anti-malware  scan¬ 
ner  over  the  24  hours  prior  to  our  test  and  had 
a  75%  capture  rate.  The  PA-5060  does  not  use 
a  third-party  anti-malware  engine;  Palo  Alto 
has  its  own  engine  that  combines  multiple 
threat  protections  (IPS  and  anti-malware)  into 
a  single  uber-engine.  This  suggests  that  the 
PA-5060  is  good  as  a  secondary  anti-malware 
protection  device,  but  does  not  obviate  the  need 
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for  other  gateway  and  desktop  anti-malware. 

With  URL  filtering,  we  also  had  typical 
results  for  all  engines:  Our  testing  showed  a 
few  false  positives  and  a  few  false  negatives, 
along  with  the  usual  mis-categorizations. 

We  configured,  but  did  not  rigorously  test, 
file  blocking,  data  filtering  and  DoS  protec¬ 
tion  capabilities.  File  blocking  lets  you  iden¬ 
tify  certain  file  types  that  can  then  be  blocked 
for  either  upload  or  download  or  for  both.  We 
found  that  the  file  blocking  was  easily  fooled. 
For  example,  putting  a  file  into  a  .zip  archive 
effectively  hid  the  file  type,  as  did  changing 
the  first  few  bytes  of  the  file  (by  adding  blank 
lines)  and,  in  one  case,  changing  the  filename. 
Data  filtering,  a  type  of  data  leak  protection, 
successfully  let  us  search  for  strings  and  wild 
cards  in  various  applications  flying  by,  but 
really  isn’t  powerful  enough  to  qualify  as  a 
data  leak  protection  solution. 

To  test  intrusion  prevention,  we  fed  the 
PA-5060  a  live  Internet  feed  of  approximately 
40Mbps  for  several  weeks  and  watched  what 
it  told  us.  As  with  most  IPS-in-a-firewall  prod¬ 
ucts,  the  PA-5060  doesn’t  match  the  flexibility 
and  power  of  dedicated  IPS  products. 

However,  the  policy  management  system 
is  exceptionally  good  for  this  class  of  device, 
and  most  network  managers  will  find  it  easy 
to  configure  policies  and  examine  events.  Poli¬ 
cies  select  threats  from  Palo  Alto’s  own  library 
of  about  1,900  threats,  and  are  applied  to  fire¬ 
wall  traffic  rules.  This  integration  of  IPS  and 
firewall  rule  is  important,  because  it  lets  you 
select  very  different  IPS  policies  on  a  granular 
basis  for  different  types  of  traffic. 

When  defining  policies,  Palo  Alto  encour¬ 
ages  you  to  use  the  “simple”  settings,  which 
offer  a  list  of  severities  (critical,  high,  medium, 


low  and  informational)  and  an  option  for  each 
severity,  essentially  “block”  or  “allow.”  You 
can  also  take  Palo  Alto’s  advice  and  select 
“default,"  which  will  pick  whatever  mysteri¬ 
ous  default  Palo  Alto  shipped  with  the  IPS 
signatures. 

However,  you  do  have  the  option  to  select 
“custom”  settings,  which  lets  the  network 
manager  pick  a  specific  action  for  each  signa¬ 
ture.  In  this  mode,  more  options  are  available, 
including  simply  dropping  packets,  resetting 
connections  and  even  blocking  IPs  (a  common 
request  after  detected  brute  force  attacks). 

Each  policy,  whether  “simple”  or  “custom," 
also  has  a  list  of  exceptions  —  threats  that 
should  be  ignored.  One  critical  and  valuable 
feature  of  the  PA-5060  GUI  is  the  ability  to 
go  directly  from  a  log  entry  to  the  exception 
list  with  just  a  few  clicks,  and  without  losing 
your  place.  This  lets  you  handle  false  positives 
quickly  and  get  back  to  the  difficult  work  of 
interpreting  IPS  events. 

Analyzing  events  from  the  PA-5060  IPS 
is  easy,  and  the  GUI  has  some  nice  reporting 
tools  built  in  to  simplify  the  task  of  managing 
IPS  events.  For  example,  we  defined  an  IPS 
report  to  show  us  the  top  events  for  our  critical 
systems.  Once  we  ran  the  report,  we  were  very 
pleased  to  see  that  all  of  the  elements  were 
“hot  links”  that  let  us  drill  down  into  the  actual 
IPS  event  logs  very  quickly.  These  reporting 
and  analysis  tools  are  scattered  around  the 
management  system,  intermixed  with  other 
tools  for  other  parts  of  the  firewall. 

Palo  Alto  chose  to  group  log  analysis  tools 
by  the  type  of  tool,  rather  than  the  part  of  the 
firewall  generating  the  log  information,  which 
makes  it  somewhat  cumbersome  to  just  con¬ 
centrate  on  IPS  events  without,  for  example, 
stumbling  over  “top  10  URL  categories”  along 
the  way.  Still,  we  found  ourselves  relatively 
expert  at  flying  between  reports,  logs,  log  fil¬ 
ters  and  events  after  only  a  few  hours  of  prac¬ 
tice.  Network  managers  for  whom  IPS  analy¬ 
sis  is  a  part-time  job  will  find  the  PA-5060 
offers  considerable  power  without  a  lot  of 
complexity. 

The  IPS  management  system  in  the 
PA-5060  will  not  replace  a  dedicated  IPS 
console,  but  it  represents  one  of  the  most 
sophisticated  IPS  event  analysis  tools  we’ve 
ever  seen  in  a  firewall.  The  IPS  console  in 
Panorama  offers  the  same  capabilities  as  the 
firewall  GUI,  except  that  Panorama  is  able 
to  report  on  events  from  multiple  devices  at 
once.  We  found  some  bugs  in  Panorama’s 
reporting  that  blocked  us  from  generating  full 
reports,  so  we  concentrated  our  testing  on  our 
PA-5060  by  itself. 

As  with  all  IPSs,  the  PA-5060  required 
some  tuning  before  we  were  ready  to  set  it 
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loose  on  our  production  network.  We  focused 
on  IPS  events  marked  as  “high”  and  “critical” 
severity,  and  immediately  found  a  number 
of  important  things  going  on  in  our  network 
—and  no  high  or  critical  false  positives. 

The  top  50  events,  which  the  PA-5060 
marked  as  high  severity,  were  all  brute  force 
login  attempts  to  SSH  servers,  Windows  Ter¬ 
minal  Server  servers,  FTP  servers  and  mail 
servers.  Fair  enough,  and  accurate.  Same  with 
Conficker,  which  was  hitting  our  network  on 
average  every  30  seconds,  along  with  someone 
looking  for  cross-site  scripting  vulnerabilities, 
and  a  variety  of  other  break-in  attempts. 

When  we  were  doing  our  testing,  we  quickly 
discovered  an  important  detail:  If  you  ever 
want  to  understand  what  your  firewall  is  tell¬ 
ing  you,  it’s  critical  to  enable  not  just  threat 
logging,  but  also  URL  logging  and  traffic  log¬ 
ging.  Without  all  three  pieces  of  information, 
the  IPS  logs  themselves  are  vague  enough 
that  many  events  cannot  be  tracked  or  under¬ 
stood.  This  has  important  implications  for 
enterprises  deploying  the  PA-5060  with  IPS 
features  enabled  —  you  also  have  to  enable 
logging  on  everything  else. 


The  “no  false  positive”  rule  didn’t  hold  quite 
so  well  as  we  moved  down  the  severity  cate¬ 
gory  to  “low”  and  “informational”  events.  In 
those  areas,  we  found  a  number  of  false  posi¬ 
tives.  Since  the  PA-5060  is  being  sold  as  an  in¬ 
line  device,  we  didn’t  find  these  false  positives 
a  big  issue,  as  network  managers  deploying 
the  PA-5060  shouldn’t  be  depending  on  any¬ 
thing  other  than  “high”  and  “critical”  events. 

When  we  were  investigating  these  top 
events,  we  found  a  common  frustration:  poor 
documentation  on  the  threat  and  vulnerability 
database.  For  example,  one  threat  that  caught 
our  eye  was  something  the  PA-5060  called 
“PDF  Exploit  Evasion."  Looking  that  up  on  Palo 
Alto’s  threat  database  portal  gave  us  no  useful 
information:  no  CVE  number,  no  description 
or  threat  analysis  other  than  “PDF  exploit  eva¬ 
sion  has  been  found  on  your  network.”  Enter¬ 
prise  IPS  products  generally  include  extensive 
documentation  on  threats  to  help  the  network 
manager  understand  criticality  and  impact, 
and  the  PA-5060  hasn’t  met  this  standard. 

We  also  tested  the  PA-5060  IPS  using  a  Mu 
Dynamics  test  chassis  and  their  published 
vulnerabilities  tests.  When  we  tested  UTM 


firewalls  using  the  same  test  chassis  in  2007, 
most  firewalls  using  recommended  settings 
blocked  only  about  a  third  of  the  attacks  (the 
average  score  across  all  products  was  32% 
block  rate,  with  a  low  of  14%  and  a  high  of  75% 
using  recommended  settings).  The  PA-5060 
did  better  in  this  test,  blocking  90%  of  the 
attacks  in  the  client-to-server  direction  and 
93%  of  the  attacks  in  the  server- to-client  direc¬ 
tion.  Since  our  tests  are  four  years  apart,  it’s 
difficult  to  draw  any  conclusions  from  these 
results,  other  than  to  say  that  the  IPS  in  the 
PA-5060  seems  to  do  a  good  job  on  the  1,954 
vulnerabilities  in  our  Mu  Dynamics  tester. 

Network  managers  looking  for  better  con¬ 
trol  and  higher  security  in  their  firewalls  need 
to  pay  attention  to  Palo  Alto  Networks.  The 
PA-5060  goes  beyond  legacy  products  from 
the  big  three  enterprise  firewall  vendors  — 
Cisco,  Juniper  and  Check  Point  —  and  has 
earned  its  place  on  evaluation  short  lists.  ■ 

Snyder,  a  Network  World  Test  Alliance 
partner,  is  a  senior  partner  at  Opus  One  in 
Tucson,  Ariz.  He  can  be  reached  at 
Joel.Snyder@opusl.com. 


Palo  Alto  balances  speed  and  security 


BY  DAVID  NEWMAN,  NETWORKTEST 

alo  Alto’s  new  firewall  delivered 
performance  10  times  faster  than 
when  we  tested  in  2008,  and  came 
close  to  its  rated  capacity  of  20Gbps 
in  firewall-only  mode,  according  to 
our  exclusive  Clear  Choice  testing. 

Of  course,  there  is  always  a  trade-off 
between  security  and  performance.  In  the 
case  of  Palo  Alto’s  PA-5060,  it  all  depends  on 
what  features  you  turn  on  and  off. 

Palo  Alto  has  shaken  up  the  firewall  mar¬ 
ket  with  its  “application  aware”  feature,  and 
we  found  that  this  next-generation  capability 
carries  no  performance  penalty.  The  PA-5060 
does  application-layer  inspection  by  default. 

On  the  other  hand  —  and  this  is  a  pretty  big 
caveat  —  UTM  rates  were  nowhere  near  the 
device’s  stated  20Gbps  limit.  Performance 
was  far  lower  with  any  UTM  feature  enabled 
compared  with  firewall-only  mode. 

Regardless  of  which  UTM  features  we 
enabled  —  intrusion  prevention,  anti-spy- 
ware,  antivirus  or  any  combination  of  these 
—  results  were  essentially  the  same  as  if  we’d 
turned  on  just  one  such  feature.  Simply  put, 


there’s  no  extra  performance  cost,  beyond 
the  initial  sharp  drop  in  rates,  for  layering  on 
multiple  types  of  traffic  inspection. 

Rates  also  fell  when  the  device  handled  SSL 
traffic.  And  when  decrypting  SSL  traffic,  the 
system’s  four  10-Gigabit  Ethernet  interfaces 
ran  at  rates  that  would  make  Fast  Ethernet 
aficionados  smile. 

Some  of  this  is  to  be  expected.  All  security 
devices  slow  down  when  handling  SSL  traffic, 
and  we’ve  seen  far  bigger  drops,  in  percentage 
terms,  when  enabling  UTM  features. 

Overall,  we’d  characterize  the  PA-5060 
as  a  capable  performer.  While  it  offers  many 
unique  application-inspection  capabilities,  it 
doesn’t  quite  do  away  with  the  perennial  ques¬ 
tion  about  security  vs.  23  trade-offs. 

Forwarding  rate  was  the  primary  metric 
in  our  tests.  We  used  both  mixed  and  static 
HTTP  loads  to  measure  rates  under  various 
configurations,  along  with  separate  tests  to 
assess  performance  for  SSL  traffic.  We  also 
verified  the  PA-5060’s  TCP  connection  capac¬ 
ity  and  connection  setup  rate. 

The  forwarding  rate  tests  clearly  show  that 
the  PA-5060,  which  can  be  equipped  with 
up  to  four  lOGbps  interfaces,  runs  at  least  10 


times  faster  than  earlier  Palo  Alto  models. 

In  a  test  involving  heavy  Web  traffic  with 
a  mix  of  content  types  and  object  sizes,  the 
PA-5060  moved  data  at  around  17Gbps  when 
configured  as  a  firewall  (see  Figure  1). 

That’s  a  bit  under  the  system’s  20Gbps 
rated  capacity,  which  isn’t  altogether  surpris¬ 
ing  since  such  data-sheet  numbers  often  are 
obtained  using  best-case  conditions. 

The  traffic  load  we  used  involved  a  mix  of 
text,  images  and  binary  content  of  various  sizes 
— j  ust  the  sort  of  Web  traffic  often  seen  on  enter¬ 
prise  networks.  The  17Gbps  rate  we  saw  in  test¬ 
ing  is  probably  a  more  meaningful  predictor  of 
performance  on  production  networks. 

The  mixed  traffic  load  offered  here  is  iden¬ 
tical  to  the  one  Joel  Snyder  used  in  his  2008 
review  of  Palo  Alto’s  PA-4020  firewall.  In  that 
test,  the  PA-4020  topped  out  at  around  1.6Gbps 
(versus  of  a  rated  capacity  of  2.0Gbps). 

As  with  most  other  security  devices,  rates  fall 
sharply  if  UTM  functions  are  enabled.  Again 
using  the  same  mixed  Web  load,  we  saw  rates 
drop  from  17Gbps  to  around  5.3G  or  5.4Gbps. 

The  good  news  is  that  rates  held  steady 
regardless  of  the  number  of  UTM  functions  in 
use.  So,  it  doesn’t  matter  whether  the  PA-5060 
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Performance  ranged  from  a  blazing  17Gbps  in 
firewall-only  mode  to  a  sluggish  108Mbps  with 
SSL  decryption  and  all  UTM  features  enabled. 
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does  anti-malware,  intrusion  prevention  or 
both  of  these. 

One  way  of  boosting  forwarding  rates  is 
to  disable  server  response  inspection,  which 
checks  traffic  flowing  from  servers  to  clients. 
Disabling  this  feature  caused  rates  to  nearly 
triple,  to  13.7Gbps.  This  setting  is  mainly 
useful  when  the  firewall  sits  in  front  of  data 
centers  or  other  server  farms.  Enterprise  net¬ 
work  managers  deploying  firewalls  to  protect 
clients  will  want  to  keep  server  inspection 
enabled  (which  is  the  default  setting). 

SSL  encryption  is  compute-intensive.  Even 
with  dedicated  silicon,  the  PA-5060,  like 
virtually  all  other  high-end  firewalls,  is  far 
slower  when  handling  SSL  traffic. 

The  PA-5060  generally  moved  traffic  at 
around  7.5Gbps  to  7.6Gbps  in  every  test  case. 
We  initially  suspected  that  the  nearly  identi¬ 
cal  rates  were  caused  by  some  limit  in  our 
test  gear.  But  back-to-back  tests  of  the  Spirent 
Avalanche  equipment  without  the  PA-5060 
in  line  moved  traffic  at  around  8.6Gbps,  faster 
than  the  firewall.  So  the  test  gear  wasn’t  the 
bottleneck. 

Rates  for  SSL  traffic  (without  decryption) 
are  higher  than  those  for  cleartext  traffic, 
except  in  the  firewall-only  test  case.  This  sug¬ 
gests  the  PA-5060  does  less  inspection  of  SSL 
traffic  by  default.  Palo  Alto’s  engineers  con¬ 
firmed  this,  but  only  for  the  particular  traffic 
generated  by  Spirent  Avalanche;  in  this  case, 
the  PA-5060  simply  classified  the  traffic  as 
type  “SSL”  and  did  no  further  inspection.  Palo 
Alto  says  there  are  cases  where  the  PA-5060 
can  detect  certain  attacks  hidden  in  SSL  traf¬ 
fic,  but  we  did  not  attempt  to  verify  that  claim. 

The  PA-5060 does  support  decryption  of  SSL 
traffic  for  deeper  inspection,  but  that  feature 
comes  with  a  heavy  performance  cost.  When 
doing  SSL  decryption,  rates  fell  to  986Mbps 
when  the  PA-5060  acted  as  a  firewall,  and  just 
108Mbps  with  all  UTM  features  enabled. 

If  higher-speed  decryption  of  SSL  is 
required,  network  managers  might  consider 
a  purpose-built  appliance. 

A  traffic  load  that  mixes  object  sizes  offers 
one  approximation  of  what  enterprise  Web 
traffic  might  look  like.  We  also  ran  separate 
tests  with  fixed  object  sizes:  one  with  10KB 
objects,  since  this  is  close  to  the  average  object 
size  as  observed  in  many  studies  of  Web  logs, 
and  another  with  512KB  objects,  since  this 
large  size  would  better  describe  maximum 
firewall  rates. 

Of  course,  no  production  network  carries 
Web  traffic  where  every  request  is  for  10KB  or 
512KB  objects,  but  the  goal  was  to  describe  the 
limits  of  firewall  performance  when  handling 
average  and  large  Web  objects. 

Not  surprisingly,  the  PA-5060  turned 


in  its  single  fastest  result,  nearly  18.7 Gbps, 
when  configured  as  a  firewall  and  presented 
with  512KB  objects  (see  Figure  2).  With 
10KB  objects,  rates  were  a  bit  slower,  around 
16.3Gbps. 

Enabling  UTM  features  produced  a  simi¬ 
lar  result  to  the  mixed-object  loads:  Rates 
were  substantially  lower,  but  very  consis¬ 
tent  regardless  of  which  combination  of 
anti-malware  and  intrusion  prevention  we 
used.  Here  again,  the  PA-5060  moved  large 
objects  faster  than  average-size  objects  after 
we’d  enabled  UTM  features,  though  by  a 
smaller  margin  than  in  the  firewall-only  tests. 
With  UTM  features  turned  on,  the  PA-5060 
moved  large  objects  only  about  lGbps  faster 
(around  6.2Gbps  to  6.3Gbps)  than  average- 
size  objects. 

The  PA-5060  also  moved  SSL  traffic  at 


lower  rates  when  static  objects  were  involved, 
especially  in  tests  with  large  objects.  This  is 
an  expected  result,  since  more  bytes  means 
more  work  for  the  device’s  encryption  engine. 
In  most  SSL  test  cases,  rates  were  around 
lO.SGbps  to  llGbps  with  average-size  objects 
and  around  8.8Gbps  with  large  objects. 

Also,  traffic  rates  for  SSL  were  around  the 
same  regardless  of  which  features  we  enabled 
or  disabled.  As  in  the  mixed-object  tests,  the 
PA-5060  didn’t  try  any  further  inspection 
after  classifying  the  Spirent  traffic  as  SSL. 

Decrypting  SSL  traffic  carried  a  heavy  per¬ 
formance  cost,  even  higher  than  in  the  mixed- 
object  tests.  With  SSL  decryption  enabled, 
rates  fell  as  low  as  lOOMbps.  And  we  used 
the  weaker  RC4-MD5  cipher;  if  anything, 
rates  would  likely  be  lower  still  with  a  stron¬ 
ger  cipher  such  as  AES256-SHA1. 
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We  also  conducted  separate  tests  to  deter¬ 
mine  how  many  concurrent  connections  the 
PA-5060  could  handle,  and  how  quickly  it 
could  set  up  and  tear  down  those  connections. 

In  the  TCP  connection  capacity  tests,  we 
configured  Spirent  Avalanche  to  build  up  suc¬ 
cessively  larger  connection  counts  by  having 
each  existing  connection  make  one  new  HTTP 
request  every  60  seconds.  The  largest  number 
of  concurrent  connections  the  PA-5060  han¬ 
dled  without  errors  was  3,620,979.  While  3.6 
million  is  a  huge  number,  it’s  also  less  than  the 
device’s  rated  capacity  of  4  million.  After  test¬ 
ing  concluded,  Palo  Alto  said  it  had  identified 
a  bug  in  the  software  version  we  tested,  and 
that  a  release  scheduled  by  press  time  would 
allow  the  firewall  to  handle  4  million  concur¬ 
rent  connections. 

In  a  related  test,  we  also  examined  the  maxi¬ 
mum  rate  at  which  the  firewall  would  set  up 
and  tear  down  new  connections.  Here,  we  con¬ 
figured  Spirent  Avalanche  to  use  HTTP  ver¬ 
sion  1.0,  forcing  each  HTTP  request  to  set  up 
a  new  TCP  connection.  The  PA-5060  handled 
44,120  connections  per  second  error-free  when 
using  all  four  of  the  device’s  10-Gigabit  Ether¬ 
net  interfaces.  In  tests  involving  two  interfaces 
and  an  earlier  version  of  the  Palo  Alto  software, 
we  observed  error-free  rates  of  nearly  47,000 
connections  per  second.  Either  rate  is  very 
high  and  will  probably  be  more  than  sufficient 
for  the  majority  of  enterprise  users. 

While  there’s  room  for  improvement  in  the 
PA-5060’s  performance,  especially  when  it 
comes  to  UTM  performance  and  SSL  decryp¬ 
tion,  we’re  encouraged  by  these  results. 
The  PA-5060  is  already  far  faster  than  the 
PA-4020  tested  earlier,  and  it’s  still  one  of 
the  few  firewalls  with  true  application-layer 
inspection  capabilities.  With  some  optimiza¬ 
tions  to  UTM  and  SSL  performance,  it  may  do 
away  with  security/performance  trade-offs 
once  and  for  all.  ■ 

Newman  is  a  member  of  the  Network  World 
Lab  Alliance  and  president  of  Network  Test, 
an  independent  test  lab  and  engineering 
services  consultancy.  He  can  be  reached  at 
dnewman@networktest.com. 
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Palo  Alto  PA-5060  performance: 
Static  HTTP  content 

When  we  switched  things  up  and  tested  with  static  object 
sizes,  the  PA-5060  delivered  nearly  18.7Gbps  in 
firewall-only  mode  with  512KB  objects. 
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No  nyms  equals  evil 


TWO  WEEKS  ago  I  contended  that  “freedom 
and  privacy,  in  any  meaningful  sense,  are 
dead,”  and  discussed  the  two  types  of  pri¬ 
vacy:  “factual”  privacy,  which  concerns  “static”  data  such  as  your  age 
and  cholesterol  level,  and  “lifestream”  privacy,  which  is  the  real-time 
data  about  things  such  as  where  you  go  and  who  you  talk  to. 

We  all  know  that  our  factual  privacy  is  in  tatters  with  every  business 
and  government  agency  that  has  any  interest  being  capable  of  finding 
out  whatever  it  needs  to  know  about  us,  the  law  notwithstanding.  As 
for  the  erosion  of  our  lifestream  privacy,  well,  that’s  somewhat  new  but 
even  more  insidious  with  most  online  businesses  collecting,  analyzing 
and  retaining  insane  amounts  of  data  about  our  virtual  activity. 

Now,  just  consider  the  consequences  of  relating  our  factual  data  with 
our  lifestream  data.  Not  only  could  we  easily  be  tracked  but  our  online 
experience  could  be  tailored  to  have  an  effect  someone  else  wants. 

In  last  week’s  column  I  segued  into  a  discussion  about  online  anonym¬ 
ity,  which  can  protect  your  lifestream  privacy,  and  observed  that  you  can 
achieve  this  if  you’re  technical  enough  to  use  an  anonymizing  service 
such  as  the  Tor  Network  (unless  “they”  really  are  out  to  get  you). 

I  ended  by  pointing  out  that  there  is  another  side  of  anonymity  to 
consider:  pseudonyms,  also  called  “handles,”  aliases,  nicknames  or, 
my  favorite,  “nyms.”  Some  people  argue  that  nyms  are  a  bad  thing 
because  they  enable  dissembling  and  inauthenticity,  while  others 
argue  that  they  are  essential  in  preserving  the  freedoms  of  people  who 
would  otherwise  be  oppressed. 

If  you’ve  been  following  the  rollout  of  Google’s  Google+  social  net¬ 
working  service  you  may  have  seen  Google’s  policy  demanding  that 


your  account  uses  your  “real”  name. 

Google’s  argument  for  this  policy  is  about  as  disingenuous  as  it  gets, 
contending  “this  makes  connecting  with  people  on  the  Web  more  like 
connecting  with  people  in  the  real  world ...  so  that  the  people  you  want 
to  connect  with  can  find  you.”  Surrrre. 

Of  course,  what  counts  as  a  “real”  name  in  the  real  world  is  more 
than  a  little  tricky  when  you  consider  unconventional  spellings  and 
foreign  names.  Not  unexpectedly,  Google  blew  off  its  own  foot  a  few 
weeks  ago  when  it  canned  several  thousand  accounts  for  what  Google 
saw  as  violations  of  their  policy. 

The  truth,  I  suspect,  is  that  Google  is  more  interested  in  doing 
what  any  right-thinking  user  would  abhor:  trying  to  link  factual 
and  lifestream  data  for  commercial  purposes,  and  the  company  sees 
its  social  networking  platform  as  a  powerful  intelligence-gathering 
mechanism  that  “real”  names  makes  even  more  powerful. 

Google  has  been,  in  many  ways,  an  admirable  organization,  but  to 
call  its  names  policy  shortsighted  would  be  kind.  They  can’t  reliably 
determine  what  are  “real”  names;  they’ve  inconvenienced  many  and 
excluded  all  of  those  who,  for  example,  live  under  politically  repressive 
regimes  or  who  might  for  social  reasons  wish  to  stay  anonymous. 

Nyms  matter  enormously,  and  an  online  world  without  nyms, 
where  everyone  can  be  easily  tracked,  completely  measured,  tidily 
pigeonholed  and  endlessly  manipulated,  will  become  much  less  free 
and  much  less  valuable.  “Do  no  evil.”  Right.  ■ 

Gibbs  (his  real  name?)  might  live  in  Ventura,  Calif.  Your  comments 
via  nym  or  otherwise  to  backspin@gibbs.com. 
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Now  your  car  needs  cybersecurity  protection? 


DO  WE  really  need  to  start  worrying  about 
the  cybersecurity  of  our  cars?  The  U.S.  gov¬ 
ernment  in  particular  thinks  so. 

The  U.S.  Department  of  Transportation  (DOT)  this  month  issued  a 
Request  For  Information  to  the  security  industry  to  help  it  create  a  road 
map  to  build  “motor  vehicle  safeguards  against  cybersecurity  threats 
and  assure  the  reliability  and  safety  of  automotive  electronic  control 
systems.” 

According  to  the  RFI:  “The  DOT  is  collecting  relevant  information 
to  characterize  needs  and  establish  a  strategic  research  road  map  to 
meet  the  rising  challenges  of  ensuring  the  safety  of  automotive  safety- 
critical  systems  due  to  increasing  complexity  of  motor  vehicle  systems 
using  advanced  electronic  controls.” 

The  DOT  wants  input  to  help  it  make  strategic  decisions  about  “next 
research  steps  and  justifying  initiatives  relative  to  research  possibili¬ 
ties  as  well  as  revised  approaches  to  regulation,  enforcement,  incident/ 
forensics,  vehicle  testing,  communications/outreach/professional 
capacity  building,  or  recommended  electronic  hardware/software  sys¬ 
tems  architecture  and  engineering  design  safeguard  principles  and/or 
practices,  including  human  factors  and  training  considerations.” 

Basically  starting  from  scratch,  the  DOT  is  looking  at  all  manner  of 
cybersecurity  topics  including: 

•  Types  and  magnitudes  of  risks  in  modern  motor  vehicles. 

•  Threats  and  vulnerabilities  to  safety-critical  systems  within  vehicle 
networks  and  vehicle  connectivity  to  the  outside  world. 

•  Flow  risks  might  amplify  with  increasing  connectivity. 

•  Risk  management  including  risk/vulnerability  assessment  and 


approaches/strategies  to  risk  mitigation  that  can  be  applicable. 

•  Security  testing,  including  penetration  testing. 

•  Approaches  to  cybersecurity  outreach  and  training  throughout  the 
automotive  value  chain. 

•  Incident/forensic  approaches. 

•  Secure  automotive  controller-area  networks  and  diagnostics. 

•  Was  there  an  initial  event  or  occurrence  that  brought  cybersecurity 
issues  to  the  forefront  in  the  industry?  If  so,  what  was  it? 

•  What  industry  committees  or  working  groups  were  formed? 

•  What  standards  were  used,  modified  or  created? 

•  What  approaches  to  cybersecurity  were  developed,  how,  and  how 
are  they  evolving  as  the  industry  moves  forward? 

•  What  was/is  the  role  of  the  federal  government  in  the  industries’ 
cybersecurity  practices  and  how  did  it  evolve? 

•  How  were  issues  such  as  privacy,  sensitive  competitive  information, 
addressed? 

The  DOT  is  working  with  the  Research  and  Innovative  Technology 
Administration  (RITA)/Volpe  National  Transportation  Systems  Cen¬ 
ter  to  gather  the  information. 

The  DOT’S  own  Connected  Vehicles  program  is  a  prime  example  of 
what  the  agency  is  looking  to  protect.  The  Connected  Vehicles  program 
includes  vehicles  fitted  with  technology  that  lets  them  communicate 
with  each  other  online  and  with  roadway  infrastructure  like  traffic 
lights,  dangerous  road  segments  and  railroad  crossings  to  avoid  acci¬ 
dents  and  be  alerted  for  roadway  problems  and  other  hazards.  ■ 

Follow  Michael  Cooney  on  Twitter:  @nwwlayer8 
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Through  ROI  workshops,  technical  tutorials, 
strategy  sessions,  roundtable  discussions, 
keynote  addresses,  networking  opportunities 
and  an  interactive  expo  floor,  you'll  hear  fresh 
perspectives  and  new  technology  insights  from 
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practitioners,  and  experienced,  high-profile 
end  users. 

All  new  morning  tracks  include: 

•  The  New  Data  Center 

•  The  Connected  Enterprise 

•  The  Modern  Network 


IT  ROADMAP  2011 


Dallas,  TX 
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San  Jose,  CA 

November  15 

Washington,  DC 

December  7 

To  learn  more,  visit: 
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•  The  Public  &  Private  Cloud 

•  The  Evolving  Threat  Landscape 

Who  Attends: 

•  CIOs  &  VPs 

•  Directors  of  IT 


For  more  information  about  sponsorship 
opportunities  and  benefits 

Contact  Andrea  D'Amato,  Vice  President  and 
Publisher  of  Network  World,  at 
adamato0nww.com  or  508-766-5455. 
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Since  the  start  of  2010,  more  than  250  companies  around  the  world  have 
migrated  workloads  (including  Oracle  workloads)  to  System  z!  Why?  Maybe 


it’s  the  savings  (up  to  50%  on  applicable  IT  costs).  Or  the  top-rated  EAL5 


security  classification.  Or  because  it  delivers  up  to  99.999%  availability  and 


uptime.  Or  maybe  it’s  an  even  better  reason:  all  of  the  above. 
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IT  COST  SAVINGS  reflect  overall  reductions  in  software  and/or  hardware  maintenance  charges  and  reduced  costs  of  system  and  workload  management  over  a  period  of  3-5  years,  when  consolidating  workloads  from 
other  systems  to  a  virtualized  Linux  environment  on  System  z.  AVAILABILITY  percentage  is  based  on  System  i  servers  in  a  Parallel  Sysplex  environment,  assuming  application  data  sharing  across  multiple  servers.  Actual 
environmental  costs  and  performance  characteristics  will  vary  depending  on  individual  client  configurations  and  conditions.  Contact  IBM  to  see  what  we  can  do  for  you.  Current  as  of  7/7/2011  IBM,  the  I8M  logo,  ibmcom. 
System  z,  Smarter  Planet  and  the  planet  icon  are  trademarks  of  International  Business  Machines  Corp,  registered  in  many  jurisdictions  worldwide.  Other  product  and  service  names  might  be  trademarks  of  IBM  or  other 
companies.  A  current  list  of  IBM  trademarks  is  available  on  the  Web  at  www.ibm.com/legal/copytradeshtml.  ©  International  Business  Machines  Corporation  2011. 


